From fgsch at lodoss.net Thu Apr 2 16:14:00 2015 From: fgsch at lodoss.net (Federico G. Schwindt) Date: Thu, 02 Apr 2015 18:14:00 +0200 Subject: [master] c22ce39 Zap some old references Message-ID: commit c22ce3943bc8d5a2bd858d3c7bc4147b3e8aab92 Author: Federico G. Schwindt Date: Thu Apr 2 17:02:08 2015 +0100 Zap some old references diff --git a/bin/varnishd/flint.lnt b/bin/varnishd/flint.lnt index 1a34c01..5181c9e 100644 --- a/bin/varnishd/flint.lnt +++ b/bin/varnishd/flint.lnt @@ -3,8 +3,6 @@ -printf(3, VSL) -printf(2, http_PrintfHeader) --printf(4, WSL) --printf(3, WSLB) -printf(2, VSB_printf) -esym(755, vct_*) From phk at FreeBSD.org Tue Apr 7 07:22:50 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 07 Apr 2015 09:22:50 +0200 Subject: [master] b38d28f Integrate http1_wait() in the state engine Message-ID: commit b38d28f33c3f7b0eabde386c2d6cc66b62d2dcc9 Author: Poul-Henning Kamp Date: Thu Mar 26 12:34:43 2015 +0000 Integrate http1_wait() in the state engine diff --git a/bin/varnishd/http1/cache_http1_fsm.c b/bin/varnishd/http1/cache_http1_fsm.c index 0f1d46c..e675e95 100644 --- a/bin/varnishd/http1/cache_http1_fsm.c +++ b/bin/varnishd/http1/cache_http1_fsm.c @@ -45,48 +45,6 @@ #include "vtim.h" /*---------------------------------------------------------------------- - * Collect a request from the client. - */ - -static enum req_fsm_nxt -http1_wait(struct sess *sp, struct worker *wrk, struct req *req) -{ - enum htc_status_e hs; - - assert(isnan(req->t_prev)); - assert(isnan(req->t_req)); - AZ(req->vcl); - AZ(req->esi_level); - - hs = SES_RxReq(wrk, req, HTTP1_Complete); - if (hs < HTC_S_EMPTY) { - req->acct.req_hdrbytes += req->htc->rxbuf_e - req->htc->rxbuf_b; - CNT_AcctLogCharge(wrk->stats, req); - SES_ReleaseReq(req); - switch(hs) { - case HTC_S_CLOSE: SES_Delete(sp, SC_REM_CLOSE, 0.0); break; - case HTC_S_TIMEOUT: SES_Delete(sp, SC_RX_TIMEOUT, 0.0); break; - case HTC_S_OVERFLOW: SES_Delete(sp, SC_RX_OVERFLOW, 0.0); break; - case HTC_S_EOF: SES_Delete(sp, SC_REM_CLOSE, 0.0); break; - default: WRONG("htc_status (bad)"); - } - return (REQ_FSM_DONE); - } - if (hs == HTC_S_COMPLETE) { - req->acct.req_hdrbytes += - req->htc->rxbuf_e - req->htc->rxbuf_b; - return (REQ_FSM_MORE); - } - if (hs == HTC_S_IDLE) { - wrk->stats->sess_herd++; - SES_ReleaseReq(req); - SES_Wait(sp); - return (REQ_FSM_DONE); - } - WRONG("htc_status (nonbad)"); -} - -/*---------------------------------------------------------------------- * This is the final state, figure out if we should close or recycle * the client connection */ @@ -262,7 +220,7 @@ http1_dissect(struct worker *wrk, struct req *req) void HTTP1_Session(struct worker *wrk, struct req *req) { - enum req_fsm_nxt nxt = REQ_FSM_MORE; + enum htc_status_e hs; struct sess *sp; CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); @@ -299,9 +257,46 @@ HTTP1_Session(struct worker *wrk, struct req *req) sp->sess_step = S_STP_H1NEWREQ; break; case S_STP_H1NEWREQ: - nxt = http1_wait(sp, wrk, req); - if (nxt != REQ_FSM_MORE) + assert(isnan(req->t_prev)); + assert(isnan(req->t_req)); + AZ(req->vcl); + AZ(req->esi_level); + + hs = SES_RxReq(wrk, req, HTTP1_Complete); + if (hs < HTC_S_EMPTY) { + req->acct.req_hdrbytes += + req->htc->rxbuf_e - req->htc->rxbuf_b; + CNT_AcctLogCharge(wrk->stats, req); + SES_ReleaseReq(req); + switch(hs) { + case HTC_S_CLOSE: + SES_Delete(sp, SC_REM_CLOSE, 0.0); + return; + case HTC_S_TIMEOUT: + SES_Delete(sp, SC_RX_TIMEOUT, 0.0); + return; + case HTC_S_OVERFLOW: + SES_Delete(sp, SC_RX_OVERFLOW, 0.0); + return; + case HTC_S_EOF: + SES_Delete(sp, SC_REM_CLOSE, 0.0); + return; + default: + WRONG("htc_status (bad)"); + } + } + if (hs == HTC_S_IDLE) { + wrk->stats->sess_herd++; + SES_ReleaseReq(req); + SES_Wait(sp); return; + } + if (hs != HTC_S_COMPLETE) + WRONG("htc_status (nonbad)"); + + req->acct.req_hdrbytes += + req->htc->rxbuf_e - req->htc->rxbuf_b; + sp->sess_step = S_STP_H1WORKING; break; case S_STP_H1BUSY: From phk at FreeBSD.org Tue Apr 7 07:22:50 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 07 Apr 2015 09:22:50 +0200 Subject: [master] 01b46ff Move req allocation/deallocation to its own source file Message-ID: commit 01b46ff8aa10c2a10c04c92ca5158e68a4fddcf9 Author: Poul-Henning Kamp Date: Tue Apr 7 07:22:23 2015 +0000 Move req allocation/deallocation to its own source file diff --git a/bin/varnishd/Makefile.am b/bin/varnishd/Makefile.am index 3f817bd..1bf3355 100644 --- a/bin/varnishd/Makefile.am +++ b/bin/varnishd/Makefile.am @@ -34,6 +34,7 @@ varnishd_SOURCES = \ cache/cache_obj.c \ cache/cache_panic.c \ cache/cache_pool.c \ + cache/cache_req.c \ cache/cache_req_body.c \ cache/cache_req_fsm.c \ cache/cache_rfc2616.c \ diff --git a/bin/varnishd/cache/cache.h b/bin/varnishd/cache/cache.h index 1db2fa5..f7f710b 100644 --- a/bin/varnishd/cache/cache.h +++ b/bin/varnishd/cache/cache.h @@ -118,7 +118,6 @@ struct pool; struct poolparam; struct req; struct sess; -struct sesspool; struct suckaddr; struct vbc; struct vrt_backend; @@ -638,6 +637,15 @@ struct req { * works, is not realistic without a lot of code changes. */ +struct sesspool { + unsigned magic; +#define SESSPOOL_MAGIC 0xd916e202 + struct pool *pool; + struct mempool *mpl_req; + struct mempool *mpl_sess; + + struct waiter *http1_waiter; +}; enum sess_attr { #define SESS_ATTR(UP, low, typ, len) SA_##UP, @@ -975,6 +983,10 @@ task_func_t VPX_Proto_Sess; /* cache_range.c [VRG] */ void VRG_dorange(struct req *req, struct busyobj *bo, const char *r); +/* cache_req.c */ +struct req *Req_New(const struct worker *, struct sess *); +void Req_Release(struct req *); + /* cache_session.c [SES] */ struct sess *SES_New(struct sesspool *); void SES_Close(struct sess *sp, enum sess_close reason); @@ -983,8 +995,6 @@ void SES_Delete(struct sess *sp, enum sess_close reason, double now); struct sesspool *SES_NewPool(struct pool *pp, unsigned pool_no); void SES_DeletePool(struct sesspool *sp); int SES_Reschedule_Req(struct req *); -struct req *SES_GetReq(const struct worker *, struct sess *); -void SES_ReleaseReq(struct req *); task_func_t SES_Proto_Sess; task_func_t SES_Proto_Req; diff --git a/bin/varnishd/cache/cache_esi_deliver.c b/bin/varnishd/cache/cache_esi_deliver.c index d9764be..a5c79a2 100644 --- a/bin/varnishd/cache/cache_esi_deliver.c +++ b/bin/varnishd/cache/cache_esi_deliver.c @@ -75,7 +75,7 @@ ved_include(struct req *preq, const char *src, const char *host) if (preq->esi_level >= cache_param->max_esi_depth) return; - req = SES_GetReq(wrk, preq->sp); + req = Req_New(wrk, preq->sp); req->req_body_status = REQ_BODY_NONE; AZ(req->vsl->wid); req->vsl->wid = VXID_Get(wrk, VSL_CLIENTMARKER); @@ -166,7 +166,7 @@ ved_include(struct req *preq, const char *src, const char *host) req->wrk = NULL; THR_SetRequest(preq); - SES_ReleaseReq(req); + Req_Release(req); } /*--------------------------------------------------------------------*/ diff --git a/bin/varnishd/cache/cache_hash.c b/bin/varnishd/cache/cache_hash.c index ccd80ad..8a15757 100644 --- a/bin/varnishd/cache/cache_hash.c +++ b/bin/varnishd/cache/cache_hash.c @@ -547,7 +547,7 @@ hsh_rush(struct worker *wrk, struct objhead *oh) sp = req->sp; CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); CNT_AcctLogCharge(wrk->stats, req); - SES_ReleaseReq(req); + Req_Release(req); SES_Delete(sp, SC_OVERLOAD, NAN); req = VTAILQ_FIRST(&wl->list); if (req == NULL) diff --git a/bin/varnishd/cache/cache_req.c b/bin/varnishd/cache/cache_req.c new file mode 100644 index 0000000..93a223c --- /dev/null +++ b/bin/varnishd/cache/cache_req.c @@ -0,0 +1,138 @@ +/*- + * Copyright (c) 2006 Verdens Gang AS + * Copyright (c) 2006-2011 Varnish Software AS + * All rights reserved. + * + * Author: Poul-Henning Kamp + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * Request management + * + */ + +#include "config.h" + +#include +#include +#include +#include + +#include "cache.h" + +/*-------------------------------------------------------------------- + * Alloc/Free a request + */ + +struct req * +Req_New(const struct worker *wrk, struct sess *sp) +{ + struct sesspool *pp; + struct req *req; + uint16_t nhttp; + unsigned sz, hl; + char *p, *e; + + CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + pp = sp->sesspool; + CHECK_OBJ_NOTNULL(pp, SESSPOOL_MAGIC); + AN(pp->pool); + + req = MPL_Get(pp->mpl_req, &sz); + AN(req); + req->magic = REQ_MAGIC; + req->sp = sp; + req->top = req; // esi overrides + + e = (char*)req + sz; + p = (char*)(req + 1); + p = (void*)PRNDUP(p); + assert(p < e); + + nhttp = (uint16_t)cache_param->http_max_hdr; + hl = HTTP_estimate(nhttp); + + req->http = HTTP_create(p, nhttp); + p += hl; + p = (void*)PRNDUP(p); + assert(p < e); + + req->http0 = HTTP_create(p, nhttp); + p += hl; + p = (void*)PRNDUP(p); + assert(p < e); + + req->resp = HTTP_create(p, nhttp); + p += hl; + p = (void*)PRNDUP(p); + assert(p < e); + + sz = cache_param->vsl_buffer; + VSL_Setup(req->vsl, p, sz); + p += sz; + p = (void*)PRNDUP(p); + + assert(p < e); + + WS_Init(req->ws, "req", p, e - p); + + req->req_bodybytes = 0; + + req->t_first = NAN; + req->t_prev = NAN; + req->t_req = NAN; + + req->vdp_nxt = 0; + VTAILQ_INIT(&req->vdp); + + return (req); +} + +void +Req_Release(struct req *req) +{ + struct sess *sp; + struct sesspool *pp; + + CHECK_OBJ_NOTNULL(req, REQ_MAGIC); + + /* Make sure the request counters have all been zeroed */ +#define ACCT(foo) \ + AZ(req->acct.foo); +#include "tbl/acct_fields_req.h" +#undef ACCT + + AZ(req->vcl); + if (req->vsl->wid) + VSL_End(req->vsl); + sp = req->sp; + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + pp = sp->sesspool; + CHECK_OBJ_NOTNULL(pp, SESSPOOL_MAGIC); + AN(pp->pool); + CHECK_OBJ_NOTNULL(req, REQ_MAGIC); + MPL_AssertSane(req); + VSL_Flush(req->vsl, 0); + req->sp = NULL; + MPL_Free(pp->mpl_req, req); +} diff --git a/bin/varnishd/cache/cache_session.c b/bin/varnishd/cache/cache_session.c index e03f909..c5f321b 100644 --- a/bin/varnishd/cache/cache_session.c +++ b/bin/varnishd/cache/cache_session.c @@ -54,18 +54,6 @@ /*--------------------------------------------------------------------*/ -struct sesspool { - unsigned magic; -#define SESSPOOL_MAGIC 0xd916e202 - struct pool *pool; - struct mempool *mpl_req; - struct mempool *mpl_sess; - - struct waiter *http1_waiter; -}; - -/*--------------------------------------------------------------------*/ - static int ses_get_attr(const struct sess *sp, enum sess_attr a, void **dst) { @@ -381,7 +369,7 @@ SES_Proto_Sess(struct worker *wrk, void *arg) * involve a request... */ (void)VTCP_blocking(sp->fd); - req = SES_GetReq(wrk, sp); + req = Req_New(wrk, sp); CHECK_OBJ_NOTNULL(req, REQ_MAGIC); req->htc->fd = sp->fd; SES_RxInit(req->htc, req->ws, @@ -571,104 +559,6 @@ SES_Delete(struct sess *sp, enum sess_close reason, double now) } /*-------------------------------------------------------------------- - * Alloc/Free a request - */ - -struct req * -SES_GetReq(const struct worker *wrk, struct sess *sp) -{ - struct sesspool *pp; - struct req *req; - uint16_t nhttp; - unsigned sz, hl; - char *p, *e; - - CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); - CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); - pp = sp->sesspool; - CHECK_OBJ_NOTNULL(pp, SESSPOOL_MAGIC); - AN(pp->pool); - - req = MPL_Get(pp->mpl_req, &sz); - AN(req); - req->magic = REQ_MAGIC; - req->sp = sp; - req->top = req; // esi overrides - - e = (char*)req + sz; - p = (char*)(req + 1); - p = (void*)PRNDUP(p); - assert(p < e); - - nhttp = (uint16_t)cache_param->http_max_hdr; - hl = HTTP_estimate(nhttp); - - req->http = HTTP_create(p, nhttp); - p += hl; - p = (void*)PRNDUP(p); - assert(p < e); - - req->http0 = HTTP_create(p, nhttp); - p += hl; - p = (void*)PRNDUP(p); - assert(p < e); - - req->resp = HTTP_create(p, nhttp); - p += hl; - p = (void*)PRNDUP(p); - assert(p < e); - - sz = cache_param->vsl_buffer; - VSL_Setup(req->vsl, p, sz); - p += sz; - p = (void*)PRNDUP(p); - - assert(p < e); - - WS_Init(req->ws, "req", p, e - p); - - req->req_bodybytes = 0; - - req->t_first = NAN; - req->t_prev = NAN; - req->t_req = NAN; - - req->vdp_nxt = 0; - VTAILQ_INIT(&req->vdp); - - return (req); -} - -void -SES_ReleaseReq(struct req *req) -{ - struct sess *sp; - struct sesspool *pp; - - CHECK_OBJ_NOTNULL(req, REQ_MAGIC); - - /* Make sure the request counters have all been zeroed */ -#define ACCT(foo) \ - AZ(req->acct.foo); -#include "tbl/acct_fields_req.h" -#undef ACCT - - AZ(req->vcl); - if (req->vsl->wid) - VSL_End(req->vsl); - sp = req->sp; - CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); - pp = sp->sesspool; - CHECK_OBJ_NOTNULL(pp, SESSPOOL_MAGIC); - AN(pp->pool); - CHECK_OBJ_NOTNULL(req, REQ_MAGIC); - MPL_AssertSane(req); - VSL_Flush(req->vsl, 0); - req->sp = NULL; - MPL_Free(pp->mpl_req, req); -} - -/*-------------------------------------------------------------------- * Create and delete pools */ diff --git a/bin/varnishd/http1/cache_http1_fsm.c b/bin/varnishd/http1/cache_http1_fsm.c index e675e95..81214f2 100644 --- a/bin/varnishd/http1/cache_http1_fsm.c +++ b/bin/varnishd/http1/cache_http1_fsm.c @@ -101,7 +101,7 @@ http1_cleanup(struct sess *sp, struct worker *wrk, struct req *req) if (sp->fd < 0) { wrk->stats->sess_closed++; AZ(req->vcl); - SES_ReleaseReq(req); + Req_Release(req); SES_Delete(sp, SC_NULL, NAN); return (1); } @@ -267,7 +267,7 @@ HTTP1_Session(struct worker *wrk, struct req *req) req->acct.req_hdrbytes += req->htc->rxbuf_e - req->htc->rxbuf_b; CNT_AcctLogCharge(wrk->stats, req); - SES_ReleaseReq(req); + Req_Release(req); switch(hs) { case HTC_S_CLOSE: SES_Delete(sp, SC_REM_CLOSE, 0.0); @@ -287,7 +287,7 @@ HTTP1_Session(struct worker *wrk, struct req *req) } if (hs == HTC_S_IDLE) { wrk->stats->sess_herd++; - SES_ReleaseReq(req); + Req_Release(req); SES_Wait(sp); return; } From phk at FreeBSD.org Tue Apr 7 07:36:57 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 07 Apr 2015 09:36:57 +0200 Subject: [master] 1c09b7b Turn http1_cleanup() into Req_Cleanup() Message-ID: commit 1c09b7b0e6cb36f5d06e6c2188aa35aabf05f033 Author: Poul-Henning Kamp Date: Tue Apr 7 07:36:31 2015 +0000 Turn http1_cleanup() into Req_Cleanup() diff --git a/bin/varnishd/cache/cache.h b/bin/varnishd/cache/cache.h index f7f710b..4eda863 100644 --- a/bin/varnishd/cache/cache.h +++ b/bin/varnishd/cache/cache.h @@ -986,6 +986,7 @@ void VRG_dorange(struct req *req, struct busyobj *bo, const char *r); /* cache_req.c */ struct req *Req_New(const struct worker *, struct sess *); void Req_Release(struct req *); +int Req_Cleanup(struct sess *sp, struct worker *wrk, struct req *req); /* cache_session.c [SES] */ struct sess *SES_New(struct sesspool *); diff --git a/bin/varnishd/cache/cache_req.c b/bin/varnishd/cache/cache_req.c index 93a223c..1804b1c 100644 --- a/bin/varnishd/cache/cache_req.c +++ b/bin/varnishd/cache/cache_req.c @@ -39,6 +39,8 @@ #include "cache.h" +#include "vtim.h" + /*-------------------------------------------------------------------- * Alloc/Free a request */ @@ -136,3 +138,68 @@ Req_Release(struct req *req) req->sp = NULL; MPL_Free(pp->mpl_req, req); } + +/*---------------------------------------------------------------------- + */ + +int +Req_Cleanup(struct sess *sp, struct worker *wrk, struct req *req) +{ + + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); + CHECK_OBJ_NOTNULL(req, REQ_MAGIC); + assert(sp == req->sp); + + req->director_hint = NULL; + req->restarts = 0; + + AZ(req->esi_level); + assert(req->top == req); + + if (req->vcl != NULL) { + if (wrk->vcl != NULL) + VCL_Rel(&wrk->vcl); + wrk->vcl = req->vcl; + req->vcl = NULL; + } + + VRTPRIV_dynamic_kill(sp->privs, (uintptr_t)req); + VRTPRIV_dynamic_kill(sp->privs, (uintptr_t)&req->top); + + /* Charge and log byte counters */ + AN(req->vsl->wid); + CNT_AcctLogCharge(wrk->stats, req); + req->req_bodybytes = 0; + + VSL_End(req->vsl); + + if (!isnan(req->t_prev) && req->t_prev > 0.) + sp->t_idle = req->t_prev; + else + sp->t_idle = W_TIM_real(wrk); + + req->t_first = NAN; + req->t_prev = NAN; + req->t_req = NAN; + req->req_body_status = REQ_BODY_INIT; + + req->hash_always_miss = 0; + req->hash_ignore_busy = 0; + req->is_hit = 0; + + if (sp->fd >= 0 && req->doclose != SC_NULL) + SES_Close(sp, req->doclose); + + if (sp->fd < 0) { + wrk->stats->sess_closed++; + AZ(req->vcl); + Req_Release(req); + SES_Delete(sp, SC_NULL, NAN); + return (1); + } + + WS_Reset(req->ws, NULL); + WS_Reset(wrk->aws, NULL); + return (0); +} diff --git a/bin/varnishd/http1/cache_http1_fsm.c b/bin/varnishd/http1/cache_http1_fsm.c index 81214f2..acded52 100644 --- a/bin/varnishd/http1/cache_http1_fsm.c +++ b/bin/varnishd/http1/cache_http1_fsm.c @@ -40,76 +40,7 @@ #include "cache/cache.h" #include "hash/hash_slinger.h" -#include "vcl.h" #include "vtcp.h" -#include "vtim.h" - -/*---------------------------------------------------------------------- - * This is the final state, figure out if we should close or recycle - * the client connection - */ - -static int -http1_cleanup(struct sess *sp, struct worker *wrk, struct req *req) -{ - - CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); - CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); - CHECK_OBJ_NOTNULL(req, REQ_MAGIC); - CHECK_OBJ_ORNULL(req->vcl, VCL_CONF_MAGIC); - - req->director_hint = NULL; - req->restarts = 0; - - AZ(req->esi_level); - assert(req->top == req); - - if (req->vcl != NULL) { - if (wrk->vcl != NULL) - VCL_Rel(&wrk->vcl); - wrk->vcl = req->vcl; - req->vcl = NULL; - } - - VRTPRIV_dynamic_kill(sp->privs, (uintptr_t)req); - VRTPRIV_dynamic_kill(sp->privs, (uintptr_t)&req->top); - - /* Charge and log byte counters */ - AN(req->vsl->wid); - CNT_AcctLogCharge(wrk->stats, req); - req->req_bodybytes = 0; - - VSL_End(req->vsl); - - if (!isnan(req->t_prev) && req->t_prev > 0.) - sp->t_idle = req->t_prev; - else - sp->t_idle = W_TIM_real(wrk); - - req->t_first = NAN; - req->t_prev = NAN; - req->t_req = NAN; - req->req_body_status = REQ_BODY_INIT; - - req->hash_always_miss = 0; - req->hash_ignore_busy = 0; - req->is_hit = 0; - - if (sp->fd >= 0 && req->doclose != SC_NULL) - SES_Close(sp, req->doclose); - - if (sp->fd < 0) { - wrk->stats->sess_closed++; - AZ(req->vcl); - Req_Release(req); - SES_Delete(sp, SC_NULL, NAN); - return (1); - } - - WS_Reset(req->ws, NULL); - WS_Reset(wrk->aws, NULL); - return (0); -} /*---------------------------------------------------------------------- */ @@ -239,7 +170,7 @@ HTTP1_Session(struct worker *wrk, struct req *req) SES_Close(sp, SC_REM_CLOSE); else SES_Close(sp, SC_TX_ERROR); - AN(http1_cleanup(sp, wrk, req)); + AN(Req_Cleanup(sp, wrk, req)); return; } @@ -251,7 +182,7 @@ HTTP1_Session(struct worker *wrk, struct req *req) SES_Close(sp, SC_REM_CLOSE); else SES_Close(sp, SC_TX_ERROR); - AN(http1_cleanup(sp, wrk, req)); + AN(Req_Cleanup(sp, wrk, req)); return; } sp->sess_step = S_STP_H1NEWREQ; @@ -309,7 +240,7 @@ HTTP1_Session(struct worker *wrk, struct req *req) (void)HSH_DerefObjHead(wrk, &req->hash_objhead); AZ(req->hash_objhead); SES_Close(sp, SC_REM_CLOSE); - AN(http1_cleanup(sp, wrk, req)); + AN(Req_Cleanup(sp, wrk, req)); return; } sp->sess_step = S_STP_H1PROC; @@ -331,7 +262,7 @@ HTTP1_Session(struct worker *wrk, struct req *req) sp->sess_step = S_STP_H1CLEANUP; break; case S_STP_H1CLEANUP: - if (http1_cleanup(sp, wrk, req)) + if (Req_Cleanup(sp, wrk, req)) return; SES_RxReInit(req->htc); if (HTTP1_Complete(req->htc) == HTC_S_COMPLETE) { From phk at FreeBSD.org Tue Apr 7 08:13:42 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 07 Apr 2015 10:13:42 +0200 Subject: [master] 5c0be22 Use the regular timeout when waiting for a close Message-ID: commit 5c0be22ac587deff334e60ef0036722cf7a251a1 Author: Poul-Henning Kamp Date: Tue Apr 7 08:02:45 2015 +0000 Use the regular timeout when waiting for a close diff --git a/bin/varnishtest/vtc_http.c b/bin/varnishtest/vtc_http.c index 2b84b43..2cd7ad7 100644 --- a/bin/varnishtest/vtc_http.c +++ b/bin/varnishtest/vtc_http.c @@ -1164,7 +1164,7 @@ cmd_http_expect_close(CMD_ARGS) fds[0].fd = hp->fd; fds[0].events = POLLIN | POLLERR; fds[0].revents = 0; - i = poll(fds, 1, 1000); + i = poll(fds, 1, hp->timeout); if (i == 0) vtc_log(vl, hp->fatal, "Expected close: timeout"); if (i != 1 || !(fds[0].revents & POLLIN)) From phk at FreeBSD.org Tue Apr 7 08:13:42 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 07 Apr 2015 10:13:42 +0200 Subject: [master] 6044905 Introduce a HTC_S_JUNK return value Message-ID: commit 60449056585ee3656426aa9624c398987deee65a Author: Poul-Henning Kamp Date: Tue Apr 7 08:13:28 2015 +0000 Introduce a HTC_S_JUNK return value diff --git a/bin/varnishd/cache/cache.h b/bin/varnishd/cache/cache.h index 4eda863..e2207c0 100644 --- a/bin/varnishd/cache/cache.h +++ b/bin/varnishd/cache/cache.h @@ -1000,6 +1000,7 @@ task_func_t SES_Proto_Sess; task_func_t SES_Proto_Req; enum htc_status_e { + HTC_S_JUNK = -5, HTC_S_CLOSE = -4, HTC_S_TIMEOUT = -3, HTC_S_OVERFLOW = -2, diff --git a/bin/varnishd/cache/cache_session.c b/bin/varnishd/cache/cache_session.c index c5f321b..33cad6b 100644 --- a/bin/varnishd/cache/cache_session.c +++ b/bin/varnishd/cache/cache_session.c @@ -259,6 +259,10 @@ SES_RxReq(const struct worker *wrk, struct req *req, htc_complete_f *func) return (HTC_S_OVERFLOW); } hs = func(req->htc); + if (hs == HTC_S_JUNK) { + WS_ReleaseP(req->htc->ws, req->htc->rxbuf_b); + return (HTC_S_JUNK); + } if (hs == HTC_S_COMPLETE) { /* Got it, run with it */ if (isnan(req->t_first)) From phk at FreeBSD.org Tue Apr 7 10:36:55 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 07 Apr 2015 12:36:55 +0200 Subject: [master] 89ca131 Add support for PROXY protocol version 1 Message-ID: commit 89ca131f5387631fa2de61a8a39c25aa0be51cfe Author: Poul-Henning Kamp Date: Tue Apr 7 10:36:37 2015 +0000 Add support for PROXY protocol version 1 diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c index 9f5ca90..8c8eb07 100644 --- a/bin/varnishd/proxy/cache_proxy_proto.c +++ b/bin/varnishd/proxy/cache_proxy_proto.c @@ -29,13 +29,233 @@ #include "config.h" +#include +#include + +#include +#include +#include + #include "../cache/cache.h" +#include "vend.h" +#include "vsa.h" + +static const char vpx2_sig[] = { + '\r', '\n', '\r', '\n', '\0', '\r', '\n', + 'Q', 'U', 'I', 'T', '\n', +}; + +/********************************************************************** + * PROXY 1 protocol + */ + +static const char vpx1_sig[] = {'P', 'R', 'O', 'X', 'Y'}; + +static int +vpx_proto1(const struct worker *wrk, struct req *req) +{ + const char *fld[5]; + int i; + char *p, *q; + struct addrinfo hints, *res; + struct suckaddr *sa; + int pfam = 0; + + CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); + CHECK_OBJ_NOTNULL(req, REQ_MAGIC); + + VSL(SLT_Debug, req->sp->fd, "PROXY1"); + + q = strchr(req->htc->rxbuf_b, '\r'); + AN(q); + + *q++ = '\0'; + /* Nuke the CRNL */ + if (*q != '\n') + return (-1); + *q++ = '\0'; + + /* Split the fields */ + p = req->htc->rxbuf_b; + for (i = 0; i < 5; i++) { + p = strchr(p, ' '); + if (p == NULL) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY1: Too few fields"); + return (-1); + } + *p++ = '\0'; + fld[i] = p; + } + + if (strchr(p, ' ')) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY1: Too many fields"); + return (-1); + } + + VSL(SLT_Debug, req->sp->fd, "PROXY1 <%s> <%s> <%s> <%s> <%s>", + fld[0], fld[1], fld[2], fld[3], fld[4]); + + if (!strcmp(fld[0], "TCP4")) + pfam = AF_INET; + else if (!strcmp(fld[0], "TCP6")) + pfam = AF_INET6; + else { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY1: Wrong TCP[46] field"); + return (-1); + } + + memset(&hints, 0, sizeof hints); + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV; + + i = getaddrinfo(fld[1], fld[2], &hints, &res); + if (i != 0) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY1: Cannot resolve source address (%s)", + gai_strerror(i)); + return (-1); + } + AZ(res->ai_next); + if (res->ai_family != pfam) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY1: %s got wrong protocol (%d)", + fld[0], res->ai_family); + freeaddrinfo(res); + return (-1); + } + SES_Reserve_client_addr(req->sp, &sa); + AN(VSA_Build(sa, res->ai_addr, res->ai_addrlen)); + SES_Set_String_Attr(req->sp, SA_CLIENT_IP, fld[1]); + SES_Set_String_Attr(req->sp, SA_CLIENT_PORT, fld[2]); + freeaddrinfo(res); + + i = getaddrinfo(fld[3], fld[4], &hints, &res); + if (i != 0) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY1: Cannot resolve destination address (%s)", + gai_strerror(i)); + return (-1); + } + AZ(res->ai_next); + if (res->ai_family != pfam) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY1: %s got wrong protocol (%d)", + fld[0], res->ai_family); + freeaddrinfo(res); + return (-1); + } + SES_Reserve_server_addr(req->sp, &sa); + AN(VSA_Build(sa, res->ai_addr, res->ai_addrlen)); + freeaddrinfo(res); + + req->htc->pipeline_b = q; + return (0); +} + +static int +vpx_proto2(const struct worker *wrk, struct req *req) +{ + int l; + + CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); + CHECK_OBJ_NOTNULL(req, REQ_MAGIC); + VSL(SLT_Debug, req->sp->fd, "PROXY2"); + + assert(req->htc->rxbuf_e - req->htc->rxbuf_b >= 16); + l = vbe16dec(req->htc->rxbuf_b + 14); + req->htc->pipeline_b = req->htc->rxbuf_b + 16 + l; + return (0); +} + +static enum htc_status_e __match_proto__(htc_complete_f) +vpx_complete(struct http_conn *htc) +{ + int i, l, j; + char *p; + + CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC); + AZ(htc->pipeline_b); + AZ(htc->pipeline_e); + + l = htc->rxbuf_e - htc->rxbuf_b; + p = htc->rxbuf_b; + j = 0x3; + for (i = 0; i < l; i++) { + if (i < sizeof vpx1_sig && p[i] != vpx1_sig[i]) + j &= ~1; + if (i < sizeof vpx2_sig && p[i] != vpx2_sig[i]) + j &= ~2; + if (j == 0) + return (HTC_S_JUNK); + if (j == 1 && i == sizeof vpx1_sig) { + if (strchr(p + i, '\n') == NULL) + return (HTC_S_MORE); + return (HTC_S_COMPLETE); + } + if (j == 2 && i == sizeof vpx2_sig) { + if (l < 16) + return (HTC_S_MORE); + j = vbe16dec(p + 14); + if (l < 16 + j) + return (HTC_S_MORE); + return (HTC_S_COMPLETE); + } + } + return (HTC_S_MORE); +} + + void __match_proto__(task_func_t) VPX_Proto_Sess(struct worker *wrk, void *priv) { + struct req *req; + struct sess *sp; + enum htc_status_e hs; + char *p; + int i; + + CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); + CAST_OBJ_NOTNULL(req, priv, REQ_MAGIC); + sp = req->sp; + + /* Per specifiction */ + assert(sizeof vpx1_sig == 5); + assert(sizeof vpx2_sig == 12); + + hs = SES_RxReq(wrk, req, vpx_complete); + if (hs != HTC_S_COMPLETE) { + Req_Release(req); + SES_Delete(sp, SC_RX_JUNK, NAN); + return; + } + p = req->htc->rxbuf_b; + if (p[0] == vpx1_sig[0]) + i = vpx_proto1(wrk, req); + else if (p[0] == vpx2_sig[0]) + i = vpx_proto2(wrk, req); + else + WRONG("proxy sig mismatch"); + + if (i) { + Req_Release(req); + SES_Delete(sp, SC_RX_JUNK, NAN); + return; + } - (void)wrk; - (void)priv; - INCOMPL(); + if (req->htc->rxbuf_e == req->htc->pipeline_b) + req->htc->pipeline_b = NULL; + else + req->htc->pipeline_e = req->htc->rxbuf_e; + WS_Release(req->htc->ws, 0); + SES_RxReInit(req->htc); + req->t_req = NAN; + req->t_first = NAN; + req->sp->sess_step = S_STP_H1NEWREQ; + wrk->task.func = SES_Proto_Req; + wrk->task.priv = req; + return; } diff --git a/bin/varnishtest/tests/o00000.vtc b/bin/varnishtest/tests/o00000.vtc new file mode 100644 index 0000000..ef535e2 --- /dev/null +++ b/bin/varnishtest/tests/o00000.vtc @@ -0,0 +1,159 @@ +varnishtest "PROXY1 protocol tests" + +server s1 { + rxreq + txresp + rxreq + txresp +} -start + +varnish v1 -proto "PROXY" -vcl+backend { + import ${vmod_std}; + + sub vcl_deliver { + set resp.http.li = local.ip; + set resp.http.lp = std.port(local.ip); + set resp.http.ri = remote.ip; + set resp.http.rp = std.port(remote.ip); + set resp.http.ci = client.ip; + set resp.http.cp = std.port(client.ip); + set resp.http.si = server.ip; + set resp.http.sp = std.port(server.ip); + } +} -start + +client c1 { + send "XYZ\r\n" + expect_close +} -run +delay .1 + +client c1 { + send "PROXY " + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY A B C D\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY A B C D E F\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY A B C D E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP4 B C D E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP4 1.2.3.4 C D E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP4 1.2.3.4 1234 D E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP4 1.2.3.4 1234 5.6.7.8 E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP6 B C D E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP6 1:f::2 C D E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP6 1:f::2 1234 D E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP6 1:f::2 1234 5:a::8 E\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP4 1:f::2 1234 5:a::8 5678\r\n" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + send "PROXY TCP6 1.2.3.4 1234 5.6.7.8 5678\r\n" + timeout 8 + expect_close +} -run +delay .1 + +# Finally try something which works... +client c1 { + send "PROXY TCP4 1.2.3.4 1234 5.6.7.8 5678\r\n" + txreq + rxresp + expect resp.http.ci == "1.2.3.4" + expect resp.http.cp == "1234" + expect resp.http.si == "5.6.7.8" + expect resp.http.sp == "5678" + expect resp.http.li == ${v1_addr} + expect resp.http.lp == ${v1_port} + expect resp.http.ri != "1.2.3.4" + expect resp.http.rp != "1234" +} -run +delay .1 + +client c1 { + send "PROXY TCP6 1:f::2 1234 5:a::8 5678\r\n" + txreq + rxresp + expect resp.http.ci == "1:f::2" + expect resp.http.cp == "1234" + expect resp.http.si == "5:a::8" + expect resp.http.sp == "5678" + expect resp.http.li == ${v1_addr} + expect resp.http.lp == ${v1_port} + expect resp.http.ri != "1:f::2" + expect resp.http.rp != "1234" +} -run +delay .1 + diff --git a/include/tbl/vsl_tags.h b/include/tbl/vsl_tags.h index 4080c5d..94d0910 100644 --- a/include/tbl/vsl_tags.h +++ b/include/tbl/vsl_tags.h @@ -138,6 +138,10 @@ SLTM(HttpGarbage, SLT_F_BINARY, "Unparseable HTTP request", "Logs the content of unparseable HTTP requests.\n\n" ) +SLTM(ProxyGarbage, 0, "Unparseable PROXY request", + "A PROXY protocol header was unparseable.\n\n" +) + SLTM(Backend, 0, "Backend selected", "Logged when a connection is selected for handling a backend" " request.\n\n" From phk at FreeBSD.org Wed Apr 8 08:45:41 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 08 Apr 2015 10:45:41 +0200 Subject: [master] a646c8f Add ProxyV2 support. Message-ID: commit a646c8f6cd66f638d5398da4f1a90c8e5b2f67c3 Author: Poul-Henning Kamp Date: Wed Apr 8 08:45:18 2015 +0000 Add ProxyV2 support. diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c index 8c8eb07..c7ae516 100644 --- a/bin/varnishd/proxy/cache_proxy_proto.c +++ b/bin/varnishd/proxy/cache_proxy_proto.c @@ -32,6 +32,8 @@ #include #include +#include + #include #include #include @@ -40,11 +42,7 @@ #include "vend.h" #include "vsa.h" - -static const char vpx2_sig[] = { - '\r', '\n', '\r', '\n', '\0', '\r', '\n', - 'Q', 'U', 'I', 'T', '\n', -}; +#include "vtcp.h" /********************************************************************** * PROXY 1 protocol @@ -60,7 +58,7 @@ vpx_proto1(const struct worker *wrk, struct req *req) char *p, *q; struct addrinfo hints, *res; struct suckaddr *sa; - int pfam = 0; + int pfam = -1; CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); CHECK_OBJ_NOTNULL(req, REQ_MAGIC); @@ -156,21 +154,139 @@ vpx_proto1(const struct worker *wrk, struct req *req) return (0); } +/********************************************************************** + * PROXY 2 protocol + */ + +static const char vpx2_sig[] = { + '\r', '\n', '\r', '\n', '\0', '\r', '\n', + 'Q', 'U', 'I', 'T', '\n', +}; + static int vpx_proto2(const struct worker *wrk, struct req *req) { int l; + const uint8_t *p; + sa_family_t pfam = 0xff; + struct sockaddr_in sin4; + struct sockaddr_in6 sin6; + struct suckaddr *sa = NULL; + char hb[VTCP_ADDRBUFSIZE]; + char pb[VTCP_PORTBUFSIZE]; CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); CHECK_OBJ_NOTNULL(req, REQ_MAGIC); - VSL(SLT_Debug, req->sp->fd, "PROXY2"); - assert(req->htc->rxbuf_e - req->htc->rxbuf_b >= 16); + assert(req->htc->rxbuf_e - req->htc->rxbuf_b >= 16L); l = vbe16dec(req->htc->rxbuf_b + 14); - req->htc->pipeline_b = req->htc->rxbuf_b + 16 + l; + assert(req->htc->rxbuf_e - req->htc->rxbuf_b >= 16L + l); + req->htc->pipeline_b = req->htc->rxbuf_b + 16L + l; + p = (const void *)req->htc->rxbuf_b; + + /* Version @12 top half */ + if ((p[12] >> 4) != 2) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY2: bad version (%d)", p[12] >> 4); + return (-1); + } + + /* Command @12 bottom half */ + switch(p[12] & 0x0f) { + case 0x0: + /* Local connection from proxy, ignore addresses */ + return (0); + case 0x1: + /* Proxied connection */ + break; + default: + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY2: bad command (%d)", p[12] & 0x0f); + return (-1); + } + + /* Address family & protocol @13 */ + switch(p[13]) { + case 0x00: + /* UNSPEC|UNSPEC, ignore proxy header */ + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY2: Ignoring UNSPEC|UNSPEC addresses"); + return (0); + case 0x11: + /* IPv4|TCP */ + pfam = AF_INET; + if (l < 12) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY2: Ignoring short IPv4 addresses (%d)", l); + return (0); + } + break; + case 0x21: + /* IPv6|TCP */ + pfam = AF_INET6; + if (l < 36) { + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY2: Ignoring short IPv6 addresses (%d)", l); + return (0); + } + break; + default: + /* Ignore proxy header */ + VSLb(req->vsl, SLT_ProxyGarbage, + "PROXY2: Ignoring unsupported protocol (0x%02x)", p[13]); + return (0); + } + + switch (pfam) { + case AF_INET: + memset(&sin4, 0, sizeof sin4); + sin4.sin_family = pfam; + + /* dst/server */ + memcpy(&sin4.sin_addr, p + 20, 4); + memcpy(&sin4.sin_port, p + 26, 2); + SES_Reserve_server_addr(req->sp, &sa); + AN(VSA_Build(sa, &sin4, sizeof sin4)); + + /* src/client */ + memcpy(&sin4.sin_addr, p + 16, 4); + memcpy(&sin4.sin_port, p + 24, 2); + SES_Reserve_client_addr(req->sp, &sa); + AN(VSA_Build(sa, &sin4, sizeof sin4)); + break; + case AF_INET6: + memset(&sin6, 0, sizeof sin6); + sin6.sin6_family = pfam; + + /* dst/server */ + memcpy(&sin6.sin6_addr, p + 32, 16); + memcpy(&sin6.sin6_port, p + 50, 2); + SES_Reserve_server_addr(req->sp, &sa); + AN(VSA_Build(sa, &sin6, sizeof sin6)); + + /* src/client */ + memcpy(&sin6.sin6_addr, p + 16, 16); + memcpy(&sin6.sin6_port, p + 48, 2); + SES_Reserve_client_addr(req->sp, &sa); + AN(VSA_Build(sa, &sin6, sizeof sin6)); + break; + default: + WRONG("Wrong pfam"); + } + + AN(sa); + VTCP_name(sa, hb, sizeof hb, pb, sizeof pb); + SES_Set_String_Attr(req->sp, SA_CLIENT_IP, hb); + SES_Set_String_Attr(req->sp, SA_CLIENT_PORT, pb); + VSLb(req->vsl, SLT_Debug, "PROXY2 %s %s", hb, pb); + return (0); } +/********************************************************************** + * HTC_Rx completion detector + */ + static enum htc_status_e __match_proto__(htc_complete_f) vpx_complete(struct http_conn *htc) { @@ -192,6 +308,8 @@ vpx_complete(struct http_conn *htc) if (j == 0) return (HTC_S_JUNK); if (j == 1 && i == sizeof vpx1_sig) { + if (l > 107) + return (HTC_S_OVERFLOW); if (strchr(p + i, '\n') == NULL) return (HTC_S_MORE); return (HTC_S_COMPLETE); @@ -208,7 +326,6 @@ vpx_complete(struct http_conn *htc) return (HTC_S_MORE); } - void __match_proto__(task_func_t) VPX_Proto_Sess(struct worker *wrk, void *priv) { diff --git a/bin/varnishtest/tests/o00001.vtc b/bin/varnishtest/tests/o00001.vtc new file mode 100644 index 0000000..3d4e2f6 --- /dev/null +++ b/bin/varnishtest/tests/o00001.vtc @@ -0,0 +1,169 @@ +varnishtest "PROXY v2 test" + +server s1 { + # The server address is part of the hash-key + # so we need three responses + rxreq + expect req.http.x-forwarded-for == "127.0.0.1" + txresp -hdr "Obj: 1" + rxreq + expect req.http.x-forwarded-for == "1.2.3.4" + txresp -hdr "Obj: 2" + rxreq + expect req.http.x-forwarded-for == "102:304:506::d0e:f10" + txresp -hdr "Obj: 3" +} -start + +varnish v1 -proto "PROXY" -vcl+backend { + import ${vmod_std}; + + acl fwd_client { + "1.2.3.4"; + "102:304:506::d0e:f10"; + } + acl fwd_server { + "5.6.7.8"; + "8182:8384:8586::8d8e:8f80"; + } + + sub vcl_deliver { + set resp.http.li = local.ip; + set resp.http.lp = std.port(local.ip); + set resp.http.ri = remote.ip; + set resp.http.rp = std.port(remote.ip); + set resp.http.ci = client.ip; + set resp.http.cp = std.port(client.ip); + set resp.http.si = server.ip; + set resp.http.sp = std.port(server.ip); + set resp.http.fc = (client.ip ~ fwd_client); + set resp.http.fs = (server.ip ~ fwd_server); + } +} -start + +client c1 { + # LOCAL command + sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a" + sendhex "20 00 00 00" + txreq + rxresp + expect resp.status == 200 + expect resp.http.si == "${v1_addr}" + expect resp.http.sp == "${v1_port}" + expect resp.http.ci == "127.0.0.1" +} -run +delay .1 + +client c1 { + # unknown command + sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a" + sendhex "22 00 00 00" + timeout 8 + expect_close +} -run +delay .1 + +client c1 { + # UNSPEC proto + sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a" + sendhex "21 00 00 00" + txreq + rxresp + expect resp.status == 200 + expect resp.http.si == "${v1_addr}" + expect resp.http.sp == "${v1_port}" + expect resp.http.ci == "127.0.0.1" +} -run +delay .1 + +client c1 { + # unknown proto + sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a" + sendhex "21 99 00 00" + txreq + rxresp + expect resp.status == 200 + expect resp.http.si == "${v1_addr}" + expect resp.http.sp == "${v1_port}" + expect resp.http.ci == "127.0.0.1" +} -run +delay .1 + +client c1 { + # short IPv4 + sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a" + sendhex "21 11 00 0b" + sendhex "01 02 03 04 05 06 07 08 09 0a 0b" + txreq + rxresp + expect resp.status == 200 + expect resp.http.si == "${v1_addr}" + expect resp.http.sp == "${v1_port}" + expect resp.http.ci == "127.0.0.1" +} -run +delay .1 + +client c1 { + # short IPv6 + sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a" + sendhex "21 21 00 23" + sendhex "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f" + sendhex "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f" + sendhex "01 02 03" + txreq + rxresp + expect resp.status == 200 + expect resp.http.fs == false + expect resp.http.fc == false + expect resp.http.si == "${v1_addr}" + expect resp.http.sp == "${v1_port}" + expect resp.http.ci == "127.0.0.1" +} -run +delay .1 + +client c1 { + # good IPv4 + sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a" + sendhex "21 11 00 0c" + sendhex "01 02 03 04" + sendhex "05 06 07 08" + sendhex "09 0a" + sendhex "0b 0c" + txreq + rxresp + expect resp.status == 200 + expect resp.http.obj == 2 + expect resp.http.fs == true + expect resp.http.fc == true + expect resp.http.ci == "1.2.3.4" + expect resp.http.cp == "2314" + expect resp.http.si == "5.6.7.8" + expect resp.http.sp == "2828" + expect resp.http.li == "${v1_addr}" + expect resp.http.lp == "${v1_port}" + expect resp.http.ri != "1.2.3.4" +} -run +delay .1 + +client c1 { + # good IPv6 + sendhex "0d 0a 0d 0a 00 0d 0a 51 55 49 54 0a" + sendhex "21 21 00 24" + sendhex "01 02 03 04 05 06 00 00 00 00 00 00 0d 0e 0f 10" + sendhex "81 82 83 84 85 86 00 00 00 00 00 00 8d 8e 8f 80" + sendhex "09 0a" + sendhex "0b 0c" + txreq + rxresp + expect resp.status == 200 + expect resp.http.obj == 3 + expect resp.http.fs == true + expect resp.http.fc == true + expect resp.http.ci == "102:304:506::d0e:f10" + expect resp.http.cp == "2314" + expect resp.http.si == "8182:8384:8586::8d8e:8f80" + expect resp.http.sp == "2828" + expect resp.http.li == "${v1_addr}" + expect resp.http.lp == "${v1_port}" + expect resp.http.ri != "102:304:506::d0e:f10" +} -run +delay .1 From phk at FreeBSD.org Wed Apr 8 09:05:32 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 08 Apr 2015 11:05:32 +0200 Subject: [master] 966b586 Add "Proxy" VSL tag for information learned through proxy protocol. Message-ID: commit 966b586f490d38c952d28898f7934a4053e0e62a Author: Poul-Henning Kamp Date: Wed Apr 8 09:04:57 2015 +0000 Add "Proxy" VSL tag for information learned through proxy protocol. Clarify which addresses are in ReqStart and SessOpen diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c index c7ae516..299777f 100644 --- a/bin/varnishd/proxy/cache_proxy_proto.c +++ b/bin/varnishd/proxy/cache_proxy_proto.c @@ -150,6 +150,8 @@ vpx_proto1(const struct worker *wrk, struct req *req) AN(VSA_Build(sa, res->ai_addr, res->ai_addrlen)); freeaddrinfo(res); + VSLb(req->vsl, SLT_Proxy, "1 %s %s %s %s", + fld[1], fld[2], fld[3], fld[4]); req->htc->pipeline_b = q; return (0); } @@ -172,6 +174,8 @@ vpx_proto2(const struct worker *wrk, struct req *req) struct sockaddr_in sin4; struct sockaddr_in6 sin6; struct suckaddr *sa = NULL; + char ha[VTCP_ADDRBUFSIZE]; + char pa[VTCP_PORTBUFSIZE]; char hb[VTCP_ADDRBUFSIZE]; char pb[VTCP_PORTBUFSIZE]; @@ -247,6 +251,7 @@ vpx_proto2(const struct worker *wrk, struct req *req) memcpy(&sin4.sin_port, p + 26, 2); SES_Reserve_server_addr(req->sp, &sa); AN(VSA_Build(sa, &sin4, sizeof sin4)); + VTCP_name(sa, ha, sizeof ha, pa, sizeof pa); /* src/client */ memcpy(&sin4.sin_addr, p + 16, 4); @@ -263,6 +268,7 @@ vpx_proto2(const struct worker *wrk, struct req *req) memcpy(&sin6.sin6_port, p + 50, 2); SES_Reserve_server_addr(req->sp, &sa); AN(VSA_Build(sa, &sin6, sizeof sin6)); + VTCP_name(sa, ha, sizeof ha, pa, sizeof pa); /* src/client */ memcpy(&sin6.sin6_addr, p + 16, 16); @@ -278,8 +284,8 @@ vpx_proto2(const struct worker *wrk, struct req *req) VTCP_name(sa, hb, sizeof hb, pb, sizeof pb); SES_Set_String_Attr(req->sp, SA_CLIENT_IP, hb); SES_Set_String_Attr(req->sp, SA_CLIENT_PORT, pb); - VSLb(req->vsl, SLT_Debug, "PROXY2 %s %s", hb, pb); + VSLb(req->vsl, SLT_Proxy, "2 %s %s %s %s", hb, pb, ha, pa); return (0); } diff --git a/include/tbl/vsl_tags.h b/include/tbl/vsl_tags.h index 94d0910..ecb2683 100644 --- a/include/tbl/vsl_tags.h +++ b/include/tbl/vsl_tags.h @@ -70,9 +70,9 @@ SLTM(SessOpen, 0, "Client connection opened", "\t| | | | | +- File descriptor number\n" "\t| | | | +---- Local TCP port ('-' if !$log_local_addr)\n" "\t| | | +------- Local IPv4/6 address ('-' if !$log_local_addr)\n" - "\t| | +---------- Listen socket\n" - "\t| +------------- Client TCP socket\n" - "\t+---------------- Client IPv4/6 address\n" + "\t| | +---------- Listen socket (-a argument)\n" + "\t| +------------- Remote TCP port\n" + "\t+---------------- Remote IPv4/6 address\n" "\n" ) @@ -138,6 +138,19 @@ SLTM(HttpGarbage, SLT_F_BINARY, "Unparseable HTTP request", "Logs the content of unparseable HTTP requests.\n\n" ) +SLTM(Proxy, 0, "PROXY protocol information", + "PROXY protocol information.\n\n" + "The format is::\n\n" + "\t%d %s %d %s %d [key value]...\n" + "\t| | | | | |\n" + "\t| | | | | +- optional information\n" + "\t| | | | +- server port\n" + "\t| | | +- server ip\n" + "\t| | +- client port\n" + "\t| +- client ip\n" + "\t+---- PROXY protocol version\n" +) + SLTM(ProxyGarbage, 0, "Unparseable PROXY request", "A PROXY protocol header was unparseable.\n\n" ) @@ -263,8 +276,8 @@ SLTM(ReqStart, 0, "Client request start", "The format is::\n\n" "\t%s %s\n" "\t| |\n" - "\t| +- Port number\n" - "\t+---- IP address\n" + "\t| +- Client Port number\n" + "\t+---- Client IP4/6 address\n" "\n" ) From phk at FreeBSD.org Wed Apr 8 11:33:19 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 08 Apr 2015 13:33:19 +0200 Subject: [master] d03f387 Explicitly include errno.h now Message-ID: commit d03f387549e5a85a0f26276725e94326b7b62cd5 Author: Poul-Henning Kamp Date: Wed Apr 8 11:33:08 2015 +0000 Explicitly include errno.h now diff --git a/bin/varnishd/waiter/cache_waiter_ports.c b/bin/varnishd/waiter/cache_waiter_ports.c index 8d71ffe..64aa094 100644 --- a/bin/varnishd/waiter/cache_waiter_ports.c +++ b/bin/varnishd/waiter/cache_waiter_ports.c @@ -35,6 +35,7 @@ #include +#include #include #include #include From phk at FreeBSD.org Wed Apr 8 12:07:15 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 08 Apr 2015 14:07:15 +0200 Subject: [master] af3e3a6 Take the mempool overhead out of the allocation, so that setting a workspace to 2^N doesn't result in 2^N+a allocations. Message-ID: commit af3e3a6f65370056c3c68871ecb4138501f3cfc9 Author: Poul-Henning Kamp Date: Wed Apr 8 12:05:45 2015 +0000 Take the mempool overhead out of the allocation, so that setting a workspace to 2^N doesn't result in 2^N+a allocations. Report "sz_wanted" and "sz_actual" in VSC. diff --git a/bin/varnishd/cache/cache_mempool.c b/bin/varnishd/cache/cache_mempool.c index 74e7c12..472441c 100644 --- a/bin/varnishd/cache/cache_mempool.c +++ b/bin/varnishd/cache/cache_mempool.c @@ -75,12 +75,12 @@ mpl_alloc(const struct mempool *mpl) CHECK_OBJ_NOTNULL(mpl, MEMPOOL_MAGIC); tsz = *mpl->cur_size; - mi = calloc(sizeof *mi + tsz, 1); + mi = calloc(tsz, 1); AN(mi); mi->magic = MEMITEM_MAGIC; mi->size = tsz; mpl->vsc->sz_wanted = tsz; - mpl->vsc->sz_needed = tsz + sizeof *mi; + mpl->vsc->sz_actual = tsz - sizeof *mi; return (mi); } @@ -116,7 +116,6 @@ mpl_guard(void *priv) if (mi == NULL && mpl->n_pool < mpl->param->min_pool) mi = mpl_alloc(mpl); - if (mpl->n_pool < mpl->param->min_pool && mi != NULL) { /* can do */ } else if (mpl->n_pool > mpl->param->max_pool && mi == NULL) { @@ -273,6 +272,7 @@ MPL_Get(struct mempool *mpl, unsigned *size) struct memitem *mi; CHECK_OBJ_NOTNULL(mpl, MEMPOOL_MAGIC); + AN(size); Lck_Lock(&mpl->mtx); @@ -301,8 +301,7 @@ MPL_Get(struct mempool *mpl, unsigned *size) if (mi == NULL) mi = mpl_alloc(mpl); - if (size != NULL) - *size = mi->size; + *size = mi->size - sizeof *mi; CHECK_OBJ_NOTNULL(mi, MEMITEM_MAGIC); /* Throw away sizeof info for FlexeLint: */ @@ -319,7 +318,7 @@ MPL_Free(struct mempool *mpl, void *item) mi = (void*)((uintptr_t)item - sizeof(*mi)); CHECK_OBJ_NOTNULL(mi, MEMITEM_MAGIC); - memset(item, 0, mi->size); + memset(item, 0, mi->size - sizeof *mi); Lck_Lock(&mpl->mtx); diff --git a/include/tbl/vsc_fields.h b/include/tbl/vsc_fields.h index b456d9f..7d45f5c 100644 --- a/include/tbl/vsc_fields.h +++ b/include/tbl/vsc_fields.h @@ -239,7 +239,7 @@ VSC_F(sz_wanted, uint64_t, 0, 'g', 'B', debug, "Size requested", "" ) -VSC_F(sz_needed, uint64_t, 0, 'g', 'B', debug, +VSC_F(sz_actual, uint64_t, 0, 'g', 'B', debug, "Size allocated", "" ) From phk at FreeBSD.org Wed Apr 8 12:07:15 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 08 Apr 2015 14:07:15 +0200 Subject: [master] 212c16e Increase the session allocation to 512 to make space for IPv6 proxie'd addresses. Message-ID: commit 212c16e65e16fa188dbc551361ff9569d0810597 Author: Poul-Henning Kamp Date: Wed Apr 8 12:06:37 2015 +0000 Increase the session allocation to 512 to make space for IPv6 proxie'd addresses. diff --git a/bin/varnishd/mgt/mgt_param_tbl.c b/bin/varnishd/mgt/mgt_param_tbl.c index 071d7ed..ceb6b35 100644 --- a/bin/varnishd/mgt/mgt_param_tbl.c +++ b/bin/varnishd/mgt/mgt_param_tbl.c @@ -70,10 +70,12 @@ struct parspec mgt_parspec[] = { { "workspace_session", tweak_bytes_u, &mgt_param.workspace_session, "256", NULL, - "Bytes of workspace for session and TCP connection addresses." + "Allocation size for session structure and workspace. " + " The workspace is primarily used for TCP connection " + "addresses." " If larger than 4k, use a multiple of 4k for VM efficiency.", DELAYED_EFFECT, - "384", "bytes" }, + "512", "bytes" }, { "workspace_client", tweak_bytes_u, &mgt_param.workspace_client, "9k", NULL, From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 2568dc3 Fix syntax error condition check for 'T' argument Message-ID: commit 2568dc3a23b2f66fb73f1adf3dc33ad9b4646b93 Author: Martin Blix Grydeland Date: Mon Mar 23 17:08:25 2015 +0100 Fix syntax error condition check for 'T' argument diff --git a/lib/libvarnishapi/vsl_arg.c b/lib/libvarnishapi/vsl_arg.c index 061c907..24483c9 100644 --- a/lib/libvarnishapi/vsl_arg.c +++ b/lib/libvarnishapi/vsl_arg.c @@ -349,7 +349,7 @@ VSL_Arg(struct VSL_data *vsl, int opt, const char *arg) return (1); case 'T': d = VNUM(arg); - if (!isnan(d)) + if (isnan(d)) return (vsl_diag(vsl, "-T: Syntax error")); if (d < 0.) return (vsl_diag(vsl, "-T: Range error")); From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 67d4b57 Correct the description of this function Message-ID: commit 67d4b57e798c068ef03e0289598839eb0e65b135 Author: Martin Blix Grydeland Date: Mon Mar 23 17:09:37 2015 +0100 Correct the description of this function It isn't internal diff --git a/lib/libvarnishapi/vsm.c b/lib/libvarnishapi/vsm.c index e805b1f..5856262 100644 --- a/lib/libvarnishapi/vsm.c +++ b/lib/libvarnishapi/vsm.c @@ -202,7 +202,7 @@ VSM_Delete(struct VSM_data *vd) } /*-------------------------------------------------------------------- - * The internal VSM open function + * The VSM open function * * Return: * 0 = success From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 1422c07 Remove dead code Message-ID: commit 1422c07b40bd28995ea897f0e417ed89ad7c2c3b Author: Martin Blix Grydeland Date: Tue Mar 31 16:07:42 2015 +0200 Remove dead code After VSLQ_Flush() there should not be any ready vtx' to get rid of. diff --git a/lib/libvarnishapi/vsl_dispatch.c b/lib/libvarnishapi/vsl_dispatch.c index 732f8a6..64fde12 100644 --- a/lib/libvarnishapi/vsl_dispatch.c +++ b/lib/libvarnishapi/vsl_dispatch.c @@ -1107,15 +1107,6 @@ VSLQ_Delete(struct VSLQ **pvslq) CHECK_OBJ_NOTNULL(vslq, VSLQ_MAGIC); (void)VSLQ_Flush(vslq, NULL, NULL); - AN(VTAILQ_EMPTY(&vslq->incomplete)); - - while (!VTAILQ_EMPTY(&vslq->ready)) { - vtx = VTAILQ_FIRST(&vslq->ready); - CHECK_OBJ_NOTNULL(vtx, VTX_MAGIC); - VTAILQ_REMOVE(&vslq->ready, vtx, list_vtx); - AN(vtx->flags & VTX_F_READY); - vtx_retire(vslq, &vtx); - } AZ(vslq->n_outstanding); VSL_DeleteCursor(vslq->c); From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 4b4839d Fix spelling Message-ID: commit 4b4839debcd016c795dfaa2a7f20e08e216ff9bb Author: Martin Blix Grydeland Date: Tue Mar 31 16:09:12 2015 +0200 Fix spelling diff --git a/lib/libvarnishapi/vsl_dispatch.c b/lib/libvarnishapi/vsl_dispatch.c index 64fde12..2594691 100644 --- a/lib/libvarnishapi/vsl_dispatch.c +++ b/lib/libvarnishapi/vsl_dispatch.c @@ -1340,8 +1340,7 @@ VSLQ_Dispatch(struct VSLQ *vslq, VSLQ_dispatch_f *func, void *priv) return (i); } -/* Flush incomplete any incomplete vtx held on to. Do callbacks if func != - NULL */ +/* Flush any incomplete vtx held on to. Do callbacks if func != NULL */ int VSLQ_Flush(struct VSLQ *vslq, VSLQ_dispatch_f *func, void *priv) { From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 6f5e26c Clearify an API function description Message-ID: commit 6f5e26ccdbf7b6c8acf7639b1be5f8bda20d8680 Author: Martin Blix Grydeland Date: Tue Mar 31 17:22:49 2015 +0200 Clearify an API function description diff --git a/include/vapi/vsl.h b/include/vapi/vsl.h index c202dfd..19daecd 100644 --- a/include/vapi/vsl.h +++ b/include/vapi/vsl.h @@ -479,7 +479,9 @@ struct VSLQ *VSLQ_New(struct VSL_data *vsl, struct VSL_cursor **cp, void VSLQ_Delete(struct VSLQ **pvslq); /* - * Delete the query pointed to by pvslq, freeing up the resources + * Delete the query pointed to by pvslq, freeing up the resources. + * + * Any cursor owned by the query will be deleted. */ int VSLQ_Dispatch(struct VSLQ *vslq, VSLQ_dispatch_f *func, void *priv); From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 99e5297 Allow VSLQ to not have a cursor set Message-ID: commit 99e52973e465c234b83787d307c3113926730a4e Author: Martin Blix Grydeland Date: Tue Mar 31 17:24:39 2015 +0200 Allow VSLQ to not have a cursor set This is to avoid having to delete the VSLQ context during VSM reopen. Also allows parsing of the query without having to open the VSM first, to facilitate early error messages. diff --git a/include/vapi/vsl.h b/include/vapi/vsl.h index 19daecd..3a09054 100644 --- a/include/vapi/vsl.h +++ b/include/vapi/vsl.h @@ -463,12 +463,14 @@ VSLQ_dispatch_f VSL_WriteTransactions; struct VSLQ *VSLQ_New(struct VSL_data *vsl, struct VSL_cursor **cp, enum VSL_grouping_e grouping, const char *query); /* - * Create a new query context using cp. On success cp is NULLed, - * and will be deleted when deleting the query. + * Create a new query context. + * + * If cp is not NULL, the cursor pointed to by cp will be + * transferred to the query, and *cp set to NULL. * * Arguments: * vsl: The VSL_data context - * cp: The cursor to use + * cp: Pointer to the cursor to use or NULL * grouping: VXID grouping to report on * query: Query match expression * diff --git a/lib/libvarnishapi/vsl_dispatch.c b/lib/libvarnishapi/vsl_dispatch.c index 2594691..0aa68a9 100644 --- a/lib/libvarnishapi/vsl_dispatch.c +++ b/lib/libvarnishapi/vsl_dispatch.c @@ -1054,7 +1054,6 @@ VSLQ_New(struct VSL_data *vsl, struct VSL_cursor **cp, struct VSLQ *vslq; CHECK_OBJ_NOTNULL(vsl, VSL_MAGIC); - AN(cp); if (grouping > VSL_g_session) { (void)vsl_diag(vsl, "Illegal query grouping"); return (NULL); @@ -1069,8 +1068,10 @@ VSLQ_New(struct VSL_data *vsl, struct VSL_cursor **cp, ALLOC_OBJ(vslq, VSLQ_MAGIC); AN(vslq); vslq->vsl = vsl; - vslq->c = *cp; - *cp = NULL; + if (cp != NULL) { + vslq->c = *cp; + *cp = NULL; + } vslq->grouping = grouping; vslq->query = query; @@ -1109,8 +1110,10 @@ VSLQ_Delete(struct VSLQ **pvslq) (void)VSLQ_Flush(vslq, NULL, NULL); AZ(vslq->n_outstanding); - VSL_DeleteCursor(vslq->c); - vslq->c = NULL; + if (vslq->c != NULL) { + VSL_DeleteCursor(vslq->c); + vslq->c = NULL; + } if (vslq->query != NULL) vslq_deletequery(&vslq->query); @@ -1290,6 +1293,10 @@ VSLQ_Dispatch(struct VSLQ *vslq, VSLQ_dispatch_f *func, void *priv) CHECK_OBJ_NOTNULL(vslq, VSLQ_MAGIC); + /* Check that we have a cursor */ + if (vslq->c == NULL) + return (-2); + if (vslq->grouping == VSL_g_raw) return (vslq_raw(vslq, func, priv)); From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] f49e3b6 VSLQ_SetCursor method Message-ID: commit f49e3b697afe139d4048b86d9b7a9b75e5c325fd Author: Martin Blix Grydeland Date: Tue Mar 31 17:29:12 2015 +0200 VSLQ_SetCursor method This sets the input cursor to be used by the query. diff --git a/include/vapi/vsl.h b/include/vapi/vsl.h index 3a09054..d87b304 100644 --- a/include/vapi/vsl.h +++ b/include/vapi/vsl.h @@ -486,6 +486,18 @@ void VSLQ_Delete(struct VSLQ **pvslq); * Any cursor owned by the query will be deleted. */ +void VSLQ_SetCursor(struct VSLQ *vslq, struct VSL_cursor **cp); + /* + * Set the cursor to use. + * + * Any previous cursor owned by the query will be deleted. Will + * call VSLQ_Flush. + * + * Arguments: + * vslq: The VSLQ query + * cp: Pointer to the cursor to use or NULL + */ + int VSLQ_Dispatch(struct VSLQ *vslq, VSLQ_dispatch_f *func, void *priv); /* * Process log and call func for each set matching the specified diff --git a/lib/libvarnishapi/libvarnishapi.map b/lib/libvarnishapi/libvarnishapi.map index 0a9cd7d..f96c9c1 100644 --- a/lib/libvarnishapi/libvarnishapi.map +++ b/lib/libvarnishapi/libvarnishapi.map @@ -128,4 +128,5 @@ LIBVARNISHAPI_1.3 { LIBVARNISHAPI_1.4 { global: VNUM; + VSLQ_SetCursor; } LIBVARNISHAPI_1.0; diff --git a/lib/libvarnishapi/vsl_dispatch.c b/lib/libvarnishapi/vsl_dispatch.c index 0aa68a9..1e4a617 100644 --- a/lib/libvarnishapi/vsl_dispatch.c +++ b/lib/libvarnishapi/vsl_dispatch.c @@ -1130,6 +1130,26 @@ VSLQ_Delete(struct VSLQ **pvslq) FREE_OBJ(vslq); } +void +VSLQ_SetCursor(struct VSLQ *vslq, struct VSL_cursor **cp) +{ + + CHECK_OBJ_NOTNULL(vslq, VSLQ_MAGIC); + + if (vslq->c != NULL) { + (void)VSLQ_Flush(vslq, NULL, NULL); + AZ(vslq->n_outstanding); + VSL_DeleteCursor(vslq->c); + vslq->c = NULL; + } + + if (cp != NULL) { + AN(*cp); + vslq->c = *cp; + *cp = NULL; + } +} + /* Regard each log line as a single transaction, feed it through the query and do the callback */ static int From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 05f5cd8 Create query and then set the cursor Message-ID: commit 05f5cd86f9bd7b3fc0d4154a01e4af51f873dcba Author: Martin Blix Grydeland Date: Tue Mar 31 17:36:59 2015 +0200 Create query and then set the cursor This makes query expression errors be reported before any VSM connection related errors. diff --git a/lib/libvarnishtools/vut.c b/lib/libvarnishtools/vut.c index 6c4a683..39829e1 100644 --- a/lib/libvarnishtools/vut.c +++ b/lib/libvarnishtools/vut.c @@ -213,10 +213,15 @@ VUT_Setup(void) struct VSL_cursor *c; AN(VUT.vsl); - - /* Input */ if (VUT.r_arg && VUT.vsm) VUT_Error(1, "Can't have both -n and -r options"); + + /* Create query */ + VUT.vslq = VSLQ_New(VUT.vsl, NULL, VUT.g_arg, VUT.q_arg); + if (VUT.vslq == NULL) + VUT_Error(1, "Query expression error:\n%s", VSL_Error(VUT.vsl)); + + /* Input cursor */ if (VUT.r_arg) { REPLACE(VUT.name, VUT.r_arg); c = VSL_CursorFile(VUT.vsl, VUT.r_arg, 0); @@ -235,11 +240,7 @@ VUT_Setup(void) } if (c == NULL) VUT_Error(1, "Can't open log (%s)", VSL_Error(VUT.vsl)); - - /* Create query */ - VUT.vslq = VSLQ_New(VUT.vsl, &c, VUT.g_arg, VUT.q_arg); - if (VUT.vslq == NULL) - VUT_Error(1, "Query expression error:\n%s", VSL_Error(VUT.vsl)); + VSLQ_SetCursor(VUT.vslq, &c); AZ(c); /* Signal handlers */ From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 20a2007 Add a VSM_IsOpen API function Message-ID: commit 20a2007b6fee40dd93dc1a030568dca90b05f318 Author: Martin Blix Grydeland Date: Tue Mar 31 17:47:59 2015 +0200 Add a VSM_IsOpen API function diff --git a/include/vapi/vsm.h b/include/vapi/vsm.h index 7db5199..c67e140 100644 --- a/include/vapi/vsm.h +++ b/include/vapi/vsm.h @@ -126,6 +126,15 @@ int VSM_Open(struct VSM_data *vd); * <0 on failure, VSM_Error() returns diagnostic string */ +int VSM_IsOpen(const struct VSM_data *vd); + /* + * Check if the VSM is open. + * + * Returns: + * 1: Is open + * 0: Is closed + */ + int VSM_Abandoned(struct VSM_data *vd); /* * Find out if the VSM file has been abandoned or closed and should diff --git a/lib/libvarnishapi/libvarnishapi.map b/lib/libvarnishapi/libvarnishapi.map index f96c9c1..216eded 100644 --- a/lib/libvarnishapi/libvarnishapi.map +++ b/lib/libvarnishapi/libvarnishapi.map @@ -129,4 +129,5 @@ LIBVARNISHAPI_1.4 { global: VNUM; VSLQ_SetCursor; + VSM_IsOpen; } LIBVARNISHAPI_1.0; diff --git a/lib/libvarnishapi/vsm.c b/lib/libvarnishapi/vsm.c index 5856262..c802518 100644 --- a/lib/libvarnishapi/vsm.c +++ b/lib/libvarnishapi/vsm.c @@ -287,6 +287,16 @@ VSM_Open(struct VSM_data *vd) /*--------------------------------------------------------------------*/ +int +VSM_IsOpen(const struct VSM_data *vd) +{ + + CHECK_OBJ_NOTNULL(vd, VSM_MAGIC); + return (vd->head != NULL); +} + +/*--------------------------------------------------------------------*/ + void VSM_Close(struct VSM_data *vd) { From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 3bfcf8b Use VSM_IsOpen as state for when to reopen the VSM connection Message-ID: commit 3bfcf8b3f1817ee4c2b884c5863fe43cc8cc13fc Author: Martin Blix Grydeland Date: Wed Apr 1 14:28:24 2015 +0200 Use VSM_IsOpen as state for when to reopen the VSM connection diff --git a/lib/libvarnishtools/vut.c b/lib/libvarnishtools/vut.c index 39829e1..0e8b657 100644 --- a/lib/libvarnishtools/vut.c +++ b/lib/libvarnishtools/vut.c @@ -308,14 +308,12 @@ VUT_Main(void) if (VUT.sigusr1) { /* Flush and report any incomplete records */ VUT.sigusr1 = 0; - if (VUT.vslq != NULL) - VSLQ_Flush(VUT.vslq, vut_dispatch, NULL); + VSLQ_Flush(VUT.vslq, vut_dispatch, NULL); } - if (VUT.vslq == NULL) { + if (VUT.vsm != NULL && !VSM_IsOpen(VUT.vsm)) { /* Reconnect VSM */ AZ(VUT.r_arg); - AN(VUT.vsm); VTIM_sleep(0.1); if (VSM_Open(VUT.vsm)) { VSM_ResetError(VUT.vsm); @@ -328,8 +326,7 @@ VUT_Main(void) VSM_Close(VUT.vsm); continue; } - VUT.vslq = VSLQ_New(VUT.vsl, &c, VUT.g_arg, VUT.q_arg); - AN(VUT.vslq); + VSLQ_SetCursor(VUT.vslq, &c); AZ(c); VUT_Error(0, "Log reacquired"); } @@ -358,17 +355,15 @@ VUT_Main(void) /* XXX: Make continuation optional */ VSLQ_Flush(VUT.vslq, vut_dispatch, NULL); - VSLQ_Delete(&VUT.vslq); - AZ(VUT.vslq); - if (i == -2) { + if (i == -2) /* Abandoned */ VUT_Error(0, "Log abandoned"); - VSM_Close(VUT.vsm); - } else if (i < -2) { + else if (i < -2) /* Overrun */ VUT_Error(0, "Log overrun"); - } + + VSM_Close(VUT.vsm); } return (i); From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 726b792 Add -t VSM open timeout option Message-ID: commit 726b7926c9feb2e499720195597abf168e412330 Author: Martin Blix Grydeland Date: Tue Mar 31 15:03:33 2015 +0200 Add -t VSM open timeout option This option controls the timeout for the initial VSM open operation diff --git a/include/vut.h b/include/vut.h index 6558227..8c0a55f 100644 --- a/include/vut.h +++ b/include/vut.h @@ -43,6 +43,7 @@ struct VUT { char *P_arg; char *q_arg; char *r_arg; + double t_arg; /* State */ struct VSL_data *vsl; diff --git a/include/vut_options.h b/include/vut_options.h index 9f01181..6004690 100644 --- a/include/vut_options.h +++ b/include/vut_options.h @@ -84,6 +84,18 @@ "Read log in binary file format from this file." \ ) +#define VUT_OPT_t \ + VOPT("t:", "[-t seconds|]", "VSM connection timeout", \ + "Timeout before returning error on initial VSM connection." \ + " If set the VSM connection is retried every 0.5 seconds" \ + " for this many seconds. If zero the connection is" \ + " attempted only once and will fail immediately if" \ + " unsuccessful. If set to \"off\", the connection will not" \ + " fail, allowing the utility to start and wait" \ + " indefinetely for the Varnish instance to appear. " \ + " Defaults to 5 seconds." \ + ) + #define VUT_OPT_V \ VOPT("V", "[-V]", "Version", \ "Print version information and exit." \ diff --git a/lib/libvarnishtools/vut.c b/lib/libvarnishtools/vut.c index 0e8b657..03917b4 100644 --- a/lib/libvarnishtools/vut.c +++ b/lib/libvarnishtools/vut.c @@ -39,6 +39,7 @@ #include #include #include +#include #include "compat/daemon.h" #include "vdef.h" @@ -49,6 +50,7 @@ #include "vas.h" #include "miniobj.h" #include "vcs.h" +#include "vnum.h" #include "vut.h" @@ -134,6 +136,7 @@ VUT_Arg(int opt, const char *arg) { int i; char *p; + double d; switch (opt) { case 'd': @@ -182,6 +185,13 @@ VUT_Arg(int opt, const char *arg) /* Binary file input */ REPLACE(VUT.r_arg, arg); return (1); + case 't': + /* VSM connect timeout */ + d = VNUM(arg); + if (isnan(d)) + VUT_Error(1, "-t: Syntax error"); + VUT.t_arg = d; + return (1); case 'V': /* Print version number and exit */ VCS_Message(VUT.progname); @@ -205,6 +215,7 @@ VUT_Init(const char *progname) VUT.vsl = VSL_New(); AN(VUT.vsl); VUT.k_arg = -1; + VUT.t_arg = 5.; } void From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] e1e5837 Implement -t timeout option in VUT Message-ID: commit e1e5837022bee655b6b35e2d5b56ed55b9eafed7 Author: Martin Blix Grydeland Date: Tue Apr 7 16:12:18 2015 +0200 Implement -t timeout option in VUT diff --git a/include/vut.h b/include/vut.h index 8c0a55f..c455662 100644 --- a/include/vut.h +++ b/include/vut.h @@ -40,6 +40,8 @@ struct VUT { int D_opt; int g_arg; int k_arg; + char *n_arg; + char *N_arg; char *P_arg; char *q_arg; char *r_arg; diff --git a/lib/libvarnishtools/vut.c b/lib/libvarnishtools/vut.c index 03917b4..72ba126 100644 --- a/lib/libvarnishtools/vut.c +++ b/lib/libvarnishtools/vut.c @@ -136,7 +136,6 @@ VUT_Arg(int opt, const char *arg) { int i; char *p; - double d; switch (opt) { case 'd': @@ -157,21 +156,12 @@ VUT_Arg(int opt, const char *arg) VUT_Error(1, "-k: Invalid number '%s'", arg); return (1); case 'n': - /* Varnish instance */ - if (VUT.vsm == NULL) - VUT.vsm = VSM_New(); - AN(VUT.vsm); - if (VSM_n_Arg(VUT.vsm, arg) <= 0) - VUT_Error(1, "%s", VSM_Error(VUT.vsm)); + /* Varnish instance name */ + REPLACE(VUT.n_arg, arg); return (1); case 'N': /* Varnish stale VSM file */ - if (VUT.vsm == NULL) - VUT.vsm = VSM_New(); - AN(VUT.vsm); - if (VSM_N_Arg(VUT.vsm, arg) <= 0) - VUT_Error(1, "%s", VSM_Error(VUT.vsm)); - VUT.d_opt = 1; /* Enforces -d */ + REPLACE(VUT.N_arg, arg); return (1); case 'P': /* PID file */ @@ -187,10 +177,15 @@ VUT_Arg(int opt, const char *arg) return (1); case 't': /* VSM connect timeout */ - d = VNUM(arg); - if (isnan(d)) - VUT_Error(1, "-t: Syntax error"); - VUT.t_arg = d; + if (!strcasecmp("off", arg)) + VUT.t_arg = -1.; + else { + VUT.t_arg = VNUM(arg); + if (isnan(VUT.t_arg)) + VUT_Error(1, "-t: Syntax error"); + if (VUT.t_arg < 0.) + VUT_Error(1, "-t: Range error"); + } return (1); case 'V': /* Print version number and exit */ @@ -222,36 +217,80 @@ void VUT_Setup(void) { struct VSL_cursor *c; + double t_start; + int i; AN(VUT.vsl); - if (VUT.r_arg && VUT.vsm) - VUT_Error(1, "Can't have both -n and -r options"); + AZ(VUT.vsm); + AZ(VUT.vslq); + + /* Check input arguments */ + if ((VUT.n_arg == NULL ? 0 : 1) + + (VUT.N_arg == NULL ? 0 : 1) + + (VUT.r_arg == NULL ? 0 : 1) > 1) + VUT_Error(1, "Only one of -n, -N and -r options may be used"); - /* Create query */ + /* Create and validate the query expression */ VUT.vslq = VSLQ_New(VUT.vsl, NULL, VUT.g_arg, VUT.q_arg); if (VUT.vslq == NULL) VUT_Error(1, "Query expression error:\n%s", VSL_Error(VUT.vsl)); - /* Input cursor */ + /* Setup input */ if (VUT.r_arg) { REPLACE(VUT.name, VUT.r_arg); c = VSL_CursorFile(VUT.vsl, VUT.r_arg, 0); + if (c == NULL) + VUT_Error(1, "Can't open log file (%s)", + VSL_Error(VUT.vsl)); } else { - if (VUT.vsm == NULL) - /* Default uses VSM with n=hostname */ - VUT.vsm = VSM_New(); + VUT.vsm = VSM_New(); AN(VUT.vsm); - if (VSM_Open(VUT.vsm)) - VUT_Error(1, "Can't open VSM file (%s)", - VSM_Error(VUT.vsm)); + if (VUT.n_arg && VSM_n_Arg(VUT.vsm, VUT.n_arg) <= 0) + VUT_Error(1, "%s", VSM_Error(VUT.vsm)); + if (VUT.N_arg && VSM_N_Arg(VUT.vsm, VUT.N_arg) <= 0) + VUT_Error(1, "%s", VSM_Error(VUT.vsm)); REPLACE(VUT.name, VSM_Name(VUT.vsm)); - c = VSL_CursorVSM(VUT.vsl, VUT.vsm, - (VUT.d_opt ? VSL_COPT_TAILSTOP : VSL_COPT_TAIL) - | VSL_COPT_BATCH); + t_start = NAN; + c = NULL; + while (1) { + i = VSM_Open(VUT.vsm); + if (!i) + c = VSL_CursorVSM(VUT.vsl, VUT.vsm, + (VUT.d_opt ? VSL_COPT_TAILSTOP : + VSL_COPT_TAIL) + | VSL_COPT_BATCH); + if (c) + break; + + if (isnan(t_start) && VUT.t_arg > 0.) { + VUT_Error(0, "Can't open log -" + " retrying for %.0f seconds", VUT.t_arg); + t_start = VTIM_real(); + } + VSM_Close(VUT.vsm); + if (VUT.t_arg <= 0.) + break; + if (VTIM_real() - t_start > VUT.t_arg) + break; + + VSM_ResetError(VUT.vsm); + VSL_ResetError(VUT.vsl); + VTIM_sleep(0.5); + } + + if (VUT.t_arg >= 0. && (i || !c)) { + if (i) + VUT_Error(1, "Can't open VSM file (%s)", + VSM_Error(VUT.vsm)); + else + VUT_Error(1, "Can't open log (%s)", + VSL_Error(VUT.vsl)); + } else if (!isnan(t_start)) + VUT_Error(0, "Log opened"); } - if (c == NULL) - VUT_Error(1, "Can't open log (%s)", VSL_Error(VUT.vsl)); - VSLQ_SetCursor(VUT.vslq, &c); + + if (c) + VSLQ_SetCursor(VUT.vslq, &c); AZ(c); /* Signal handlers */ @@ -282,6 +321,8 @@ VUT_Setup(void) void VUT_Fini(void) { + free(VUT.n_arg); + free(VUT.N_arg); free(VUT.r_arg); free(VUT.P_arg); free(VUT.name); From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 5f9ba61 Enable -t option in the utilities Message-ID: commit 5f9ba61a92a03dbf502bb6dbc3eb4f1051f00780 Author: Martin Blix Grydeland Date: Tue Apr 7 16:22:21 2015 +0200 Enable -t option in the utilities Fixes: #1674 diff --git a/bin/varnishhist/varnishhist_options.h b/bin/varnishhist/varnishhist_options.h index f3223f3..a04a7e0 100644 --- a/bin/varnishhist/varnishhist_options.h +++ b/bin/varnishhist/varnishhist_options.h @@ -65,5 +65,6 @@ HIS_OPT_p HIS_OPT_P VUT_OPT_q VUT_OPT_r +VUT_OPT_t VSL_OPT_T VUT_OPT_V diff --git a/bin/varnishlog/varnishlog_options.h b/bin/varnishlog/varnishlog_options.h index 1f2ab93..2ceaa7c 100644 --- a/bin/varnishlog/varnishlog_options.h +++ b/bin/varnishlog/varnishlog_options.h @@ -67,6 +67,7 @@ VUT_OPT_N VUT_OPT_P VUT_OPT_q VUT_OPT_r +VUT_OPT_t VSL_OPT_T VSL_OPT_v VUT_OPT_V diff --git a/bin/varnishncsa/varnishncsa_options.h b/bin/varnishncsa/varnishncsa_options.h index dc8ea30..d2b7bde 100644 --- a/bin/varnishncsa/varnishncsa_options.h +++ b/bin/varnishncsa/varnishncsa_options.h @@ -65,5 +65,6 @@ VUT_OPT_n VUT_OPT_N VUT_OPT_P VUT_OPT_q +VUT_OPT_t VUT_OPT_V NCSA_OPT_w diff --git a/bin/varnishtop/varnishtop_options.h b/bin/varnishtop/varnishtop_options.h index 2d3353e..42c1755 100644 --- a/bin/varnishtop/varnishtop_options.h +++ b/bin/varnishtop/varnishtop_options.h @@ -68,6 +68,7 @@ VUT_OPT_N TOP_OPT_p VUT_OPT_q VUT_OPT_r +VUT_OPT_t VSL_OPT_T VSL_OPT_x VSL_OPT_X From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] 0a36e0b Implement -t timeout logic for varnishstat Message-ID: commit 0a36e0b311a0663545ca78ff1f73184bcac789f7 Author: Martin Blix Grydeland Date: Thu Apr 9 14:20:01 2015 +0200 Implement -t timeout logic for varnishstat diff --git a/bin/varnishstat/varnishstat.c b/bin/varnishstat/varnishstat.c index 3f8f9d0..bd0beee 100644 --- a/bin/varnishstat/varnishstat.c +++ b/bin/varnishstat/varnishstat.c @@ -33,12 +33,16 @@ #include "config.h" #include - #include #include #include #include #include +#include +#include + +#include "vnum.h" +#include "vtim.h" #include "varnishstat.h" @@ -275,10 +279,12 @@ main(int argc, char * const *argv) { int c; struct VSM_data *vd; - double delay = 1.0; - int once = 0, xml = 0, json = 0, do_repeat = 0, f_list = 0; + double delay = 1.0, t_arg = 5.0, t_start = NAN; + int once = 0, xml = 0, json = 0, do_repeat = 0, f_list = 0, curses = 0; + int i; vd = VSM_New(); + AN(vd); while ((c = getopt(argc, argv, VSC_ARGS "1f:lVw:xjt:")) != -1) { switch (c) { @@ -288,12 +294,31 @@ main(int argc, char * const *argv) case 'l': f_list = 1; break; + case 't': + if (!strcasecmp(optarg, "off")) + t_arg = -1.; + else { + t_arg = VNUM(optarg); + if (isnan(t_arg)) { + fprintf(stderr, "-t: Syntax error"); + exit(1); + } + if (t_arg < 0.) { + fprintf(stderr, "-t: Range error"); + exit(1); + } + } + break; case 'V': VCS_Message("varnishstat"); exit(0); case 'w': do_repeat = 1; - delay = atof(optarg); + delay = VNUM(optarg); + if (isnan(delay)) { + fprintf(stderr, "-w: Syntax error"); + exit(1); + } break; case 'x': xml = 1; @@ -309,15 +334,40 @@ main(int argc, char * const *argv) } } - if (VSM_Open(vd)) { - fprintf(stderr, "%s\n", VSM_Error(vd)); - exit(1); + if (!(xml || json || once || f_list)) + curses = 1; + + while (1) { + i = VSM_Open(vd); + if (!i) + break; + if (isnan(t_start) && t_arg > 0.) { + fprintf(stderr, "Can't open log -" + " retrying for %.0f seconds\n", t_arg); + t_start = VTIM_real(); + } + if (t_arg <= 0.) + break; + if (VTIM_real() - t_start > t_arg) + break; + VSM_ResetError(vd); + VTIM_sleep(0.5); } - if (!(xml || json || once || f_list)) { + + if (curses) { + if (i && t_arg >= 0.) { + fprintf(stderr, "%s\n", VSM_Error(vd)); + exit(1); + } do_curses(vd, delay); exit(0); } + if (i) { + fprintf(stderr, "%s\n", VSM_Error(vd)); + exit(1); + } + while (1) { if (xml) do_xml(vd); From martin at varnish-software.com Thu Apr 9 13:16:28 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 09 Apr 2015 15:16:28 +0200 Subject: [master] af26ca9 Varnishstat documentation for -t option Message-ID: commit af26ca922a481fb8584f6d2bf9fc78045bb15c51 Author: Martin Blix Grydeland Date: Thu Apr 9 14:58:25 2015 +0200 Varnishstat documentation for -t option diff --git a/doc/sphinx/reference/varnishstat.rst b/doc/sphinx/reference/varnishstat.rst index 7570ef0..47d597e 100644 --- a/doc/sphinx/reference/varnishstat.rst +++ b/doc/sphinx/reference/varnishstat.rst @@ -52,6 +52,15 @@ The following options are available: Specify a the filename of a stale VSM instance. When using this option the abandonment checking is disabled. +-t seconds| + Timeout before returning error on initial VSM connection. If + set the VSM connection is retried every 0.5 seconds for this + any seconds. If zero the connection is attempted only once and + will fail immediately if unsuccessful. If set to "off", the + connection will not fail, allowing the utility to start and + wait indefinetely for the Varnish instance to appear. + Defaults to 5 seconds. + -V Display the version number and exit. From martin at varnish-software.com Fri Apr 10 12:06:55 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Fri, 10 Apr 2015 14:06:55 +0200 Subject: [master] 8822c84 Do not trigger on EPOLLPRI in the epoll waiter Message-ID: commit 8822c846c868a73f0c72a3ba1059fe788b107987 Author: Martin Blix Grydeland Date: Fri Apr 10 11:30:40 2015 +0200 Do not trigger on EPOLLPRI in the epoll waiter EPOLLPRI causes the waiter to report activity on a socket when there is OOB data available. Since HTTP does not make use of OOB the data is never read and the socket thus is always ready for read according to the waiter. This causes the waiter to continously assign the session to a worker only for the worker to find out there is no data sending it back to the waiter. This continues until the request timeout_idle has elapsed. This problem does no constitute a DOS attack vector as the linger timeout in the session SES_RxReq is still invoked, and this one does not trigger on PRI. So the worker sleeps on that poll for timeout_linger before sending the session back to the waiter, and eventually is dropped on timeout_idle. diff --git a/bin/varnishd/waiter/cache_waiter_epoll.c b/bin/varnishd/waiter/cache_waiter_epoll.c index 0778d43..56987cd 100644 --- a/bin/varnishd/waiter/cache_waiter_epoll.c +++ b/bin/varnishd/waiter/cache_waiter_epoll.c @@ -74,7 +74,7 @@ vwe_inject(const struct waiter *w, struct waited *wp) AZ(epoll_ctl(vwe->epfd, EPOLL_CTL_MOD, wp->fd, &wp->ev)); else { wp->ev.data.ptr = wp; - wp->ev.events = EPOLLIN | EPOLLPRI | EPOLLRDHUP; + wp->ev.events = EPOLLIN | EPOLLRDHUP; if (wp != w->pipe_w) wp->ev.events |= EPOLLONESHOT; AZ(epoll_ctl(vwe->epfd, EPOLL_CTL_ADD, wp->fd, &wp->ev)); @@ -88,7 +88,7 @@ vwe_eev(struct vwe *vwe, const struct epoll_event *ep, double now) AN(ep->data.ptr); CAST_OBJ_NOTNULL(sp, ep->data.ptr, WAITED_MAGIC); - if (ep->events & EPOLLIN || ep->events & EPOLLPRI) { + if (ep->events & EPOLLIN) { Wait_Handle(vwe->waiter, sp, WAITER_ACTION, now); } else if (ep->events & EPOLLERR) { Wait_Handle(vwe->waiter, sp, WAITER_REMCLOSE, now); From martin at varnish-software.com Fri Apr 10 12:06:55 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Fri, 10 Apr 2015 14:06:55 +0200 Subject: [master] 9fa4d02 Add varnishtest support for OOB urgent messages and a test case execising that Message-ID: commit 9fa4d02542fcb40b2154d382d397d75a8cefbeb3 Author: Martin Blix Grydeland Date: Fri Apr 10 14:02:15 2015 +0200 Add varnishtest support for OOB urgent messages and a test case execising that diff --git a/bin/varnishtest/tests/b00046.vtc b/bin/varnishtest/tests/b00046.vtc new file mode 100644 index 0000000..95d64bb --- /dev/null +++ b/bin/varnishtest/tests/b00046.vtc @@ -0,0 +1,33 @@ +varnishtest "Check that TCP OOB urgent data doesn't cause ill effects" + +server s1 { + rxreq + send_urgent " " + txresp + send_urgent " " + + rxreq + send_urgent " " + txresp + send_urgent " " +} -start + +varnish v1 -vcl+backend {} -start + +client c1 { + delay 0.5 + send_urgent " " + expect_close +} -run + +client c1 { + send_urgent " " + txreq -url /1 + send_urgent " " + rxresp + send_urgent " " + txreq -url /2 + send_urgent " " + rxresp + send_urgent " " +} -run diff --git a/bin/varnishtest/vtc_http.c b/bin/varnishtest/vtc_http.c index 2cd7ad7..93ddf4e 100644 --- a/bin/varnishtest/vtc_http.c +++ b/bin/varnishtest/vtc_http.c @@ -1026,6 +1026,28 @@ cmd_http_send_n(CMD_ARGS) } /********************************************************************** + * Send an OOB urgent message + */ + +static void +cmd_http_send_urgent(CMD_ARGS) +{ + struct http *hp; + int i; + + (void)cmd; + (void)vl; + CAST_OBJ_NOTNULL(hp, priv, HTTP_MAGIC); + AN(av[1]); + AZ(av[2]); + vtc_dump(hp->vl, 4, "send_urgent", av[1], -1); + i = send(hp->fd, av[1], strlen(av[1]), MSG_OOB); + if (i != strlen(av[1])) + vtc_log(hp->vl, hp->fatal, + "Write error in http_send_urgent(): %s", strerror(errno)); +} + +/********************************************************************** * Send a hex string */ @@ -1290,6 +1312,7 @@ static const struct cmds http_cmds[] = { { "expect", cmd_http_expect }, { "send", cmd_http_send }, { "send_n", cmd_http_send_n }, + { "send_urgent", cmd_http_send_urgent }, { "sendhex", cmd_http_sendhex }, { "chunked", cmd_http_chunked }, { "chunkedlen", cmd_http_chunkedlen }, From fgsch at lodoss.net Fri Apr 10 17:10:45 2015 From: fgsch at lodoss.net (Federico G. Schwindt) Date: Fri, 10 Apr 2015 19:10:45 +0200 Subject: [master] 2c95d14 Indent Message-ID: commit 2c95d14fd2d5f198cacb95ab9015359c8540a5c6 Author: Federico G. Schwindt Date: Wed Apr 8 10:40:04 2015 +0100 Indent diff --git a/bin/varnishd/storage/stevedore.c b/bin/varnishd/storage/stevedore.c index 6762c34..c94e0c8 100644 --- a/bin/varnishd/storage/stevedore.c +++ b/bin/varnishd/storage/stevedore.c @@ -298,7 +298,8 @@ STV_trim(const struct stevedore *stv, struct storage *st, size_t size, CHECK_OBJ_NOTNULL(stv, STEVEDORE_MAGIC); CHECK_OBJ_NOTNULL(st, STORAGE_MAGIC); if (stv->trim) - stv->trim(st, size, move_ok); } + stv->trim(st, size, move_ok); +} void STV_free(const struct stevedore *stv, struct storage *st) From fgsch at lodoss.net Fri Apr 10 17:10:45 2015 From: fgsch at lodoss.net (Federico G. Schwindt) Date: Fri, 10 Apr 2015 19:10:45 +0200 Subject: [master] b845ad0 Remove unnecessary check Message-ID: commit b845ad09fd2e63217d5e31bed7b9e23fe73db77a Author: Federico G. Schwindt Date: Wed Apr 8 10:40:22 2015 +0100 Remove unnecessary check diff --git a/bin/varnishtest/tests/m00006.vtc b/bin/varnishtest/tests/m00006.vtc index 0d33e73..1dd4dec 100644 --- a/bin/varnishtest/tests/m00006.vtc +++ b/bin/varnishtest/tests/m00006.vtc @@ -42,13 +42,3 @@ client c1 { expect resp.status == 200 expect resp.bodylen == 1 } -run - -varnish v1 -errvcl {'beresp.http.bar': Not available in method 'vcl_recv'} { - import ${vmod_std}; - - backend b { .host = "127.0.0.1"; } - - sub vcl_recv { - std.collect(beresp.http.bar); - } -} From phk at FreeBSD.org Mon Apr 13 06:59:57 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Mon, 13 Apr 2015 08:59:57 +0200 Subject: [master] f03486b Raise jail privs around initial socket opening. Message-ID: commit f03486b7e19ac45f60191b05f2e8562625f7a189 Author: Poul-Henning Kamp Date: Mon Apr 13 06:35:35 2015 +0000 Raise jail privs around initial socket opening. Fixes #1699 diff --git a/bin/varnishd/mgt/mgt_acceptor.c b/bin/varnishd/mgt/mgt_acceptor.c index 404d3e7..6d3c240 100644 --- a/bin/varnishd/mgt/mgt_acceptor.c +++ b/bin/varnishd/mgt/mgt_acceptor.c @@ -136,7 +136,9 @@ mac_callback(void *priv, const struct suckaddr *sa) ls->addr = sa; ls->proto_name = mh->proto_name; ls->first_step = mh->first_step; + VJ_master(JAIL_MASTER_PRIVPORT); fail = mac_opensocket(ls, NULL); + VJ_master(JAIL_MASTER_LOW); if (ls->sock < 0) { *(mh->err) = strerror(fail); FREE_OBJ(ls); From phk at FreeBSD.org Mon Apr 13 06:59:57 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Mon, 13 Apr 2015 08:59:57 +0200 Subject: [master] dbf414c Add a JAIL_MASTER_FILE privilege for accessing files with full privs. Message-ID: commit dbf414c832b17e9cf640729a06c2299dcdbc4bf3 Author: Poul-Henning Kamp Date: Mon Apr 13 06:59:39 2015 +0000 Add a JAIL_MASTER_FILE privilege for accessing files with full privs. diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h index 7f42f87..ae65533 100644 --- a/bin/varnishd/mgt/mgt.h +++ b/bin/varnishd/mgt/mgt.h @@ -77,6 +77,7 @@ enum jail_subproc_e { enum jail_master_e { JAIL_MASTER_LOW, + JAIL_MASTER_FILE, JAIL_MASTER_STORAGE, JAIL_MASTER_PRIVPORT, }; diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c index 7611365..d7a88d7 100644 --- a/bin/varnishd/mgt/mgt_jail_unix.c +++ b/bin/varnishd/mgt/mgt_jail_unix.c @@ -139,11 +139,10 @@ vju_init(char **args) static void __match_proto__(jail_master_f) vju_master(enum jail_master_e jme) { - if (jme == JAIL_MASTER_STORAGE || - jme == JAIL_MASTER_PRIVPORT) - AZ(seteuid(0)); - else + if (jme == JAIL_MASTER_LOW) AZ(seteuid(vju_uid)); + else + AZ(seteuid(0)); } static void __match_proto__(jail_subproc_f) From phk at FreeBSD.org Mon Apr 13 08:41:25 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Mon, 13 Apr 2015 10:41:25 +0200 Subject: [master] 3ab1e30 Polish Message-ID: commit 3ab1e305cde25fb323e72a15a8152f12ff1fe2f1 Author: Poul-Henning Kamp Date: Mon Apr 13 08:41:17 2015 +0000 Polish diff --git a/bin/varnishd/mgt/mgt_sandbox.c b/bin/varnishd/mgt/mgt_sandbox.c index df7eadb..f0c0443 100644 --- a/bin/varnishd/mgt/mgt_sandbox.c +++ b/bin/varnishd/mgt/mgt_sandbox.c @@ -245,7 +245,7 @@ mgt_sandbox_unix(enum sandbox_e who) /*--------------------------------------------------------------------*/ -static void __match_proto__(sub_func_f) +static void __match_proto__(vsub_func_f) run_sandbox_test(void *priv) { diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c index 6e98c1f..78c9169 100644 --- a/bin/varnishd/mgt/mgt_vcc.c +++ b/bin/varnishd/mgt/mgt_vcc.c @@ -77,7 +77,7 @@ static const char * const builtin_vcl = * Invoke system VCC compiler in a sub-process */ -static void +static void __match_proto__(vsub_func_f) run_vcc(void *priv) { char *csrc; @@ -122,7 +122,7 @@ run_vcc(void *priv) * Invoke system C compiler in a sub-process */ -static void +static void __match_proto__(vsub_func_f) run_cc(void *priv) { struct vcc_priv *vp; @@ -172,7 +172,7 @@ run_cc(void *priv) * Attempt to open compiled VCL in a sub-process */ -static void __match_proto__(sub_func_f) +static void __match_proto__(vsub_func_f) run_dlopen(void *priv) { void *dlh; diff --git a/bin/varnishtest/tests/b00046.vtc b/bin/varnishtest/tests/b00046.vtc index 95d64bb..2c60f66 100644 --- a/bin/varnishtest/tests/b00046.vtc +++ b/bin/varnishtest/tests/b00046.vtc @@ -5,7 +5,7 @@ server s1 { send_urgent " " txresp send_urgent " " - + rxreq send_urgent " " txresp diff --git a/lib/libvarnish/vsub.c b/lib/libvarnish/vsub.c index 71c9670..cf71c26 100644 --- a/lib/libvarnish/vsub.c +++ b/lib/libvarnish/vsub.c @@ -100,13 +100,13 @@ VSUB_run(struct vsb *sb, vsub_func_f *func, void *priv, const char *name, assert(dup2(p[1], STDOUT_FILENO) == STDOUT_FILENO); assert(dup2(p[1], STDERR_FILENO) == STDERR_FILENO); /* Close all other fds */ - for (sfd = STDERR_FILENO + 1; sfd < 100; sfd++) + for (sfd = STDERR_FILENO+1; sfd < sysconf(_SC_OPEN_MAX); sfd++) (void)close(sfd); func(priv); /* * func should either exec or exit, so getting here should be * treated like an assertion failure - except that we don't know - * if it's save to trigger an acutal assertion + * if it's safe to trigger an acutal assertion */ _exit(4); } From lkarsten at varnish-software.com Mon Apr 13 12:56:18 2015 From: lkarsten at varnish-software.com (Lasse Karstensen) Date: Mon, 13 Apr 2015 14:56:18 +0200 Subject: [master] 75b8d3b Add missing linefeed in comment. Message-ID: commit 75b8d3be6951a43b4ec0b1d0ad0b0f9949fce11c Author: Lasse Karstensen Date: Mon Apr 13 11:54:01 2015 +0200 Add missing linefeed in comment. diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c index d7a88d7..4f9122c 100644 --- a/bin/varnishd/mgt/mgt_jail_unix.c +++ b/bin/varnishd/mgt/mgt_jail_unix.c @@ -167,7 +167,8 @@ vju_subproc(enum jail_subproc_e jse) #ifdef __linux__ /* - * On linux mucking about with uid/gid disables core-dumps, * reenable them again. + * On linux mucking about with uid/gid disables core-dumps, + * reenable them again. */ if (prctl(PR_SET_DUMPABLE, 1) != 0) { REPORT0(LOG_INFO, From phk at FreeBSD.org Mon Apr 13 20:46:13 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Mon, 13 Apr 2015 22:46:13 +0200 Subject: [master] 900702b Move each vcl into a subdirectory under the -n directory Message-ID: commit 900702bcff507a99f50a1d2ab09297d0e262d865 Author: Poul-Henning Kamp Date: Mon Apr 13 20:45:31 2015 +0000 Move each vcl into a subdirectory under the -n directory diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h index ae65533..410439e 100644 --- a/bin/varnishd/mgt/mgt.h +++ b/bin/varnishd/mgt/mgt.h @@ -85,7 +85,7 @@ enum jail_master_e { typedef int jail_init_f(char **); typedef void jail_master_f(enum jail_master_e); typedef void jail_subproc_f(enum jail_subproc_e); -typedef void jail_make_workdir_f(const char *dname); +typedef void jail_make_dir_f(const char *dname); typedef void jail_storage_file_f(int fd); struct jail_tech { @@ -95,7 +95,8 @@ struct jail_tech { jail_init_f *init; jail_master_f *master; jail_subproc_f *subproc; - jail_make_workdir_f *make_workdir; + jail_make_dir_f *make_workdir; + jail_make_dir_f *make_vcldir; jail_storage_file_f *storage_file; }; @@ -103,6 +104,7 @@ void VJ_Init(const char *j_arg); void VJ_master(enum jail_master_e jme); void VJ_subproc(enum jail_subproc_e jse); void VJ_make_workdir(const char *dname); +void VJ_make_vcldir(const char *dname); void VJ_storage_file(int fd); extern const struct jail_tech jail_tech_unix; diff --git a/bin/varnishd/mgt/mgt_jail.c b/bin/varnishd/mgt/mgt_jail.c index f95bc81..b9a1ad9 100644 --- a/bin/varnishd/mgt/mgt_jail.c +++ b/bin/varnishd/mgt/mgt_jail.c @@ -163,6 +163,22 @@ VJ_make_workdir(const char *dname) } void +VJ_make_vcldir(const char *dname) +{ + + AN(dname); + CHECK_OBJ_NOTNULL(vjt, JAIL_TECH_MAGIC); + if (vjt->make_vcldir != NULL) { + vjt->make_vcldir(dname); + return; + } + + if (mkdir(dname, 0755) < 0 && errno != EEXIST) + ARGV_ERR("Cannot create VCL directory '%s': %s\n", + dname, strerror(errno)); +} + +void VJ_storage_file(int fd) { diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c index 4f9122c..a10c645 100644 --- a/bin/varnishd/mgt/mgt_jail_unix.c +++ b/bin/varnishd/mgt/mgt_jail_unix.c @@ -177,7 +177,7 @@ vju_subproc(enum jail_subproc_e jse) #endif } -static void +static void __match_proto__(jail_make_dir_f) vju_make_workdir(const char *dname) { int fd; @@ -208,6 +208,16 @@ vju_make_workdir(const char *dname) AZ(unlink("_.testfile")); } +static void __match_proto__(jail_make_dir_f) +vju_make_vcldir(const char *dname) +{ + AZ(seteuid(0)); + + AZ(mkdir(dname, 0755)); + AZ(chown(dname, vju_uid, vju_gid)); + AZ(seteuid(vju_uid)); +} + static void vju_storage_file(int fd) { @@ -223,6 +233,7 @@ const struct jail_tech jail_tech_unix = { .init = vju_init, .master = vju_master, .make_workdir = vju_make_workdir, + .make_vcldir = vju_make_vcldir, .storage_file = vju_storage_file, .subproc = vju_subproc, }; diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c index 78c9169..9de54e6 100644 --- a/bin/varnishd/mgt/mgt_vcc.c +++ b/bin/varnishd/mgt/mgt_vcc.c @@ -283,13 +283,19 @@ mgt_VccCompile(struct cli *cli, const char *vclname, const char *vclsrc, INIT_OBJ(&vp, VCC_PRIV_MAGIC); vp.src = vclsrc; - VSB_printf(sb, "./vcl_%s.c", vclname); + VSB_printf(sb, "vcl_%s", vclname); + AZ(VSB_finish(sb)); + VJ_make_vcldir(VSB_data(sb)); + + + VSB_clear(sb); + VSB_printf(sb, "vcl_%s/vgc.c", vclname); AZ(VSB_finish(sb)); vp.srcfile = strdup(VSB_data(sb)); AN(vp.srcfile); VSB_clear(sb); - VSB_printf(sb, "./vcl_%s.so", vclname); + VSB_printf(sb, "vcl_%s/vgc.so", vclname); AZ(VSB_finish(sb)); vp.libfile = strdup(VSB_data(sb)); AN(vp.srcfile); From phk at FreeBSD.org Mon Apr 13 22:28:15 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 14 Apr 2015 00:28:15 +0200 Subject: [master] 043ecc5 Make sure that the vcl poker never sees the high default cooldown timer parameter. Message-ID: commit 043ecc54801915ac99ecdf199a596c106656ddcb Author: Poul-Henning Kamp Date: Mon Apr 13 22:27:20 2015 +0000 Make sure that the vcl poker never sees the high default cooldown timer parameter. diff --git a/bin/varnishtest/tests/v00044.vtc b/bin/varnishtest/tests/v00044.vtc index b89b73f..6f44d82 100644 --- a/bin/varnishtest/tests/v00044.vtc +++ b/bin/varnishtest/tests/v00044.vtc @@ -7,15 +7,13 @@ server s1 -repeat 20 { close } -start -varnish v1 -vcl { +varnish v1 -arg "-p vcl_cooldown=1" -vcl { backend default { .host = "${s1_addr}"; .probe = { .interval = 1s; .initial = 1;} } } -start -varnish v1 -cliok "param.set vcl_cooldown 1" - # We only have one vcl yet varnish v1 -expect VBE.vcl1.default.happy >= 0 varnish v1 -expect !VBE.vcl2.default.happy @@ -50,7 +48,7 @@ varnish v1 -expect VBE.vcl1.default.happy >= 0 varnish v1 -expect VBE.vcl2.default.happy >= 0 # and the unused one should go cold -delay 3 +delay 4 varnish v1 -expect !VBE.vcl2.default.happy # Mark the used warm and use it the other From phk at FreeBSD.org Tue Apr 14 08:23:12 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 14 Apr 2015 10:23:12 +0200 Subject: [master] 15a6fdf More comprehensive cleanup in the -n directory on exit. Message-ID: commit 15a6fdf739ce87b6fa61613c57a1e3b34698941e Author: Poul-Henning Kamp Date: Tue Apr 14 08:22:51 2015 +0000 More comprehensive cleanup in the -n directory on exit. diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 5ea594c..7e98190 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -301,6 +301,18 @@ cli_stdin_close(void *priv) /*--------------------------------------------------------------------*/ +static void +mgt_secret_atexit(void) +{ + + /* Only master process */ + if (getpid() != mgt_pid) + return; + VJ_master(JAIL_MASTER_FILE); + AZ(unlink("_.secret")); + VJ_master(JAIL_MASTER_LOW); +} + static const char * make_secret(const char *dirname) { @@ -311,6 +323,7 @@ make_secret(const char *dirname) assert(asprintf(&fn, "%s/_.secret", dirname) > 0); + VJ_master(JAIL_MASTER_FILE); fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600); if (fd < 0) { fprintf(stderr, "Cannot create secret-file in %s (%s)\n", @@ -322,6 +335,8 @@ make_secret(const char *dirname) buf[i] = random() & 0xff; assert(sizeof buf == write(fd, buf, sizeof buf)); AZ(close(fd)); + VJ_master(JAIL_MASTER_LOW); + AZ(atexit(mgt_secret_atexit)); return (fn); } diff --git a/bin/varnishd/mgt/mgt_shmem.c b/bin/varnishd/mgt/mgt_shmem.c index 66c87de..f0a9141 100644 --- a/bin/varnishd/mgt/mgt_shmem.c +++ b/bin/varnishd/mgt/mgt_shmem.c @@ -305,8 +305,7 @@ mgt_SHM_Size_Adjust(void) * Exit handler that clears the owning pid from the SHMLOG */ -static -void +static void mgt_shm_atexit(void) { diff --git a/bin/varnishd/mgt/mgt_vcl.c b/bin/varnishd/mgt/mgt_vcl.c index 062c9ca..743b57f 100644 --- a/bin/varnishd/mgt/mgt_vcl.c +++ b/bin/varnishd/mgt/mgt_vcl.c @@ -90,9 +90,14 @@ mgt_vcl_add(const char *name, const char *libfile, const char *state) static void mgt_vcl_del(struct vclprog *vp) { + char dn[256]; + VTAILQ_REMOVE(&vclhead, vp, list); - printf("unlink %s\n", vp->fname); XXXAZ(unlink(vp->fname)); + bprintf(dn, "vcl_%s", vp->name); + VJ_master(JAIL_MASTER_FILE); + XXXAZ(rmdir(dn)); + VJ_master(JAIL_MASTER_LOW); free(vp->fname); free(vp->name); free(vp); @@ -448,13 +453,11 @@ mgt_vcl_atexit(void) if (getpid() != mgt_pid) return; - while (1) { + do { vp = VTAILQ_FIRST(&vclhead); - if (vp == NULL) - break; - (void)unlink(vp->fname); - VTAILQ_REMOVE(&vclhead, vp, list); - } + if (vp != NULL) + mgt_vcl_del(vp); + } while (vp != NULL); } void From phk at FreeBSD.org Tue Apr 14 08:46:05 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 14 Apr 2015 10:46:05 +0200 Subject: [master] dc8b52b Used raised jail privs for file operations, and leave the -n dir owned by the initial uid/gid of the varnishd process. Message-ID: commit dc8b52bcaa47db5192f6be031c35245eaef626dc Author: Poul-Henning Kamp Date: Tue Apr 14 08:45:36 2015 +0000 Used raised jail privs for file operations, and leave the -n dir owned by the initial uid/gid of the varnishd process. diff --git a/bin/varnishd/mgt/mgt_cli.c b/bin/varnishd/mgt/mgt_cli.c index bf70e03..74980a4 100644 --- a/bin/varnishd/mgt/mgt_cli.c +++ b/bin/varnishd/mgt/mgt_cli.c @@ -284,13 +284,16 @@ mcf_auth(struct cli *cli, const char *const *av, void *priv) VCLI_SetResult(cli, CLIS_CANT); return; } + VJ_master(JAIL_MASTER_FILE); fd = open(secret_file, O_RDONLY); if (fd < 0) { VCLI_Out(cli, "Cannot open secret file (%s)\n", strerror(errno)); VCLI_SetResult(cli, CLIS_CANT); + VJ_master(JAIL_MASTER_LOW); return; } + VJ_master(JAIL_MASTER_LOW); mgt_got_fd(fd); VCLI_AuthResponse(fd, cli->challenge, buf); AZ(close(fd)); @@ -494,11 +497,13 @@ mgt_cli_secret(const char *S_arg) /* Save in shmem */ mgt_SHM_static_alloc(S_arg, strlen(S_arg) + 1L, "Arg", "-S", ""); + VJ_master(JAIL_MASTER_FILE); fd = open(S_arg, O_RDONLY); if (fd < 0) { fprintf(stderr, "Can not open secret-file \"%s\"\n", S_arg); exit(2); } + VJ_master(JAIL_MASTER_LOW); mgt_got_fd(fd); i = read(fd, buf, sizeof buf); if (i == 0) { diff --git a/bin/varnishd/mgt/mgt_jail.c b/bin/varnishd/mgt/mgt_jail.c index b9a1ad9..260e6f6 100644 --- a/bin/varnishd/mgt/mgt_jail.c +++ b/bin/varnishd/mgt/mgt_jail.c @@ -145,6 +145,7 @@ VJ_make_workdir(const char *dname) return; } + VJ_master(JAIL_MASTER_FILE); if (mkdir(dname, 0755) < 0 && errno != EEXIST) ARGV_ERR("Cannot create working directory '%s': %s\n", dname, strerror(errno)); @@ -160,6 +161,7 @@ VJ_make_workdir(const char *dname) dname, strerror(errno)); AZ(close(fd)); AZ(unlink("_.testfile")); + VJ_master(JAIL_MASTER_LOW); } void diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c index a10c645..8b989a8 100644 --- a/bin/varnishd/mgt/mgt_jail_unix.c +++ b/bin/varnishd/mgt/mgt_jail_unix.c @@ -47,6 +47,7 @@ #include #endif +static gid_t vju_mgr_gid; static uid_t vju_uid; static gid_t vju_gid; static const char *vju_user; @@ -111,6 +112,8 @@ vju_init(char **args) if (geteuid() != 0) ARGV_ERR("Unix Jail: Must be root.\n"); + vju_mgr_gid = getgid(); + for (;*args != NULL; args++) { if (!strncmp(*args, "user=", 5)) { if (vju_getuid((*args) + 5)) @@ -139,10 +142,13 @@ vju_init(char **args) static void __match_proto__(jail_master_f) vju_master(enum jail_master_e jme) { - if (jme == JAIL_MASTER_LOW) + if (jme == JAIL_MASTER_LOW) { + AZ(setegid(vju_gid)); AZ(seteuid(vju_uid)); - else + } else { AZ(seteuid(0)); + AZ(setegid(vju_mgr_gid)); + } } static void __match_proto__(jail_subproc_f) @@ -178,42 +184,11 @@ vju_subproc(enum jail_subproc_e jse) } static void __match_proto__(jail_make_dir_f) -vju_make_workdir(const char *dname) -{ - int fd; - - AZ(seteuid(0)); - - if (mkdir(dname, 0755) < 0 && errno != EEXIST) - ARGV_ERR("Cannot create working directory '%s': %s\n", - dname, strerror(errno)); - - if (chown(dname, vju_uid, vju_gid) < 0) - ARGV_ERR( - "Cannot set owner/group on working directory '%s': %s\n", - dname, strerror(errno)); - - if (chdir(dname) < 0) - ARGV_ERR("Cannot change to working directory '%s': %s\n", - dname, strerror(errno)); - - AZ(seteuid(vju_uid)); - - fd = open("_.testfile", O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd < 0) - ARGV_ERR("Error: Cannot create test-file in %s (%s)\n" - "Check permissions (or delete old directory)\n", - dname, strerror(errno)); - AZ(close(fd)); - AZ(unlink("_.testfile")); -} - -static void __match_proto__(jail_make_dir_f) vju_make_vcldir(const char *dname) { AZ(seteuid(0)); - AZ(mkdir(dname, 0755)); + assert((mkdir(dname, 0755) == 0) || errno == EEXIST); AZ(chown(dname, vju_uid, vju_gid)); AZ(seteuid(vju_uid)); } @@ -232,7 +207,6 @@ const struct jail_tech jail_tech_unix = { .name = "unix", .init = vju_init, .master = vju_master, - .make_workdir = vju_make_workdir, .make_vcldir = vju_make_vcldir, .storage_file = vju_storage_file, .subproc = vju_subproc, diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 7e98190..48e654e 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -324,7 +324,7 @@ make_secret(const char *dirname) assert(asprintf(&fn, "%s/_.secret", dirname) > 0); VJ_master(JAIL_MASTER_FILE); - fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600); + fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0640); if (fd < 0) { fprintf(stderr, "Cannot create secret-file in %s (%s)\n", dirname, strerror(errno)); @@ -630,9 +630,11 @@ main(int argc, char * const *argv) VJ_make_workdir(dirname); /* XXX: should this be relative to the -n arg ? */ + VJ_master(JAIL_MASTER_FILE); if (P_arg && (pfh = VPF_Open(P_arg, 0644, NULL)) == NULL) ARGV_ERR("Could not open pid/lock (-P) file (%s): %s\n", P_arg, strerror(errno)); + VJ_master(JAIL_MASTER_LOW); mgt_vcc_init(); mgt_vcl_init(); diff --git a/bin/varnishd/mgt/mgt_shmem.c b/bin/varnishd/mgt/mgt_shmem.c index f0a9141..7ac8a53 100644 --- a/bin/varnishd/mgt/mgt_shmem.c +++ b/bin/varnishd/mgt/mgt_shmem.c @@ -197,7 +197,9 @@ mgt_SHM_Create(void) bprintf(fnbuf, "%s.%jd", VSM_FILENAME, (intmax_t)getpid()); + VJ_master(JAIL_MASTER_FILE); vsm_fd = vsm_zerofile(fnbuf, size); + VJ_master(JAIL_MASTER_LOW); if (vsm_fd < 0) exit(1); @@ -255,12 +257,14 @@ mgt_SHM_Commit(void) char fnbuf[64]; bprintf(fnbuf, "%s.%jd", VSM_FILENAME, (intmax_t)getpid()); + VJ_master(JAIL_MASTER_FILE); if (rename(fnbuf, VSM_FILENAME)) { fprintf(stderr, "Rename failed %s -> %s: %s\n", fnbuf, VSM_FILENAME, strerror(errno)); (void)unlink(fnbuf); exit(1); } + VJ_master(JAIL_MASTER_LOW); } /*-------------------------------------------------------------------- From phk at FreeBSD.org Tue Apr 14 08:53:51 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 14 Apr 2015 10:53:51 +0200 Subject: [master] 6e7c5cf Complain if no -a arguments. Message-ID: commit 6e7c5cf62cc1a54caf7937c70a881a2846e84b11 Author: Poul-Henning Kamp Date: Tue Apr 14 08:53:15 2015 +0000 Complain if no -a arguments. Also open argv-supplied secret files with elevated privs. diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 48e654e..3622b12 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -599,11 +599,13 @@ main(int argc, char * const *argv) fprintf(stderr, "Warning: Empty -S argument, no CLI authentication.\n"); } else if (S_arg != NULL) { + VJ_master(JAIL_MASTER_FILE); o = open(S_arg, O_RDONLY, 0); if (o < 0) ARGV_ERR("Cannot open -S file (%s): %s\n", S_arg, strerror(errno)); AZ(close(o)); + VJ_master(JAIL_MASTER_LOW); } if (f_arg != NULL) { @@ -651,6 +653,9 @@ main(int argc, char * const *argv) } else if (C_flag) ARGV_ERR("-C only good with -b or -f\n"); + if (VTAILQ_EMPTY(&heritage.socks)) + ARGV_ERR("Need -a argument(s)\n"); + if (!d_flag) { if (b_arg == NULL && f_arg == NULL) { fprintf(stderr, From phk at FreeBSD.org Tue Apr 14 12:34:02 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 14 Apr 2015 14:34:02 +0200 Subject: [master] b74b0bb Run CC in a writable directory. Message-ID: commit b74b0bb28b739dd17b4de645dc150f6b46965abd Author: Poul-Henning Kamp Date: Tue Apr 14 12:33:27 2015 +0000 Run CC in a writable directory. Don't assert that we can remove VCL directories, compilers may have left crumbs there, for instance gcov profiling info. diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c index 9de54e6..76df5e6 100644 --- a/bin/varnishd/mgt/mgt_vcc.c +++ b/bin/varnishd/mgt/mgt_vcc.c @@ -53,6 +53,7 @@ struct vcc_priv { unsigned magic; #define VCC_PRIV_MAGIC 0x70080cb8 + char *dir; const char *src; char *srcfile; char *libfile; @@ -67,6 +68,9 @@ unsigned mgt_vcc_unsafe_path; static struct vcc *vcc; +#define VGC_SRC "vgc.c" +#define VGC_LIB "vgc.so" + /*--------------------------------------------------------------------*/ static const char * const builtin_vcl = @@ -85,8 +89,11 @@ run_vcc(void *priv) struct vcc_priv *vp; int fd, i, l; - CAST_OBJ_NOTNULL(vp, priv, VCC_PRIV_MAGIC); VJ_subproc(JAIL_SUBPROC_VCC); + CAST_OBJ_NOTNULL(vp, priv, VCC_PRIV_MAGIC); + + AZ(chdir(vp->dir)); + sb = VSB_new_auto(); XXXAN(sb); VCC_VCL_dir(vcc, mgt_vcl_dir); @@ -102,15 +109,15 @@ run_vcc(void *priv) if (csrc == NULL) exit(2); - fd = open(vp->srcfile, O_WRONLY|O_TRUNC|O_CREAT, 0600); + fd = open(VGC_SRC, O_WRONLY|O_TRUNC|O_CREAT, 0600); if (fd < 0) { - fprintf(stderr, "Cannot open %s", vp->srcfile); + fprintf(stderr, "VCC cannot open %s", vp->srcfile); exit(2); } l = strlen(csrc); i = write(fd, csrc, l); if (i != l) { - fprintf(stderr, "Cannot write %s", vp->srcfile); + fprintf(stderr, "VCC cannot write %s", vp->srcfile); exit(2); } AZ(close(fd)); @@ -133,16 +140,18 @@ run_cc(void *priv) VJ_subproc(JAIL_SUBPROC_CC); CAST_OBJ_NOTNULL(vp, priv, VCC_PRIV_MAGIC); + AZ(chdir(vp->dir)); + sb = VSB_new_auto(); AN(sb); for (p = mgt_cc_cmd, pct = 0; *p; ++p) { if (pct) { switch (*p) { case 's': - VSB_cat(sb, vp->srcfile); + VSB_cat(sb, VGC_SRC); break; case 'o': - VSB_cat(sb, vp->libfile); + VSB_cat(sb, VGC_LIB); break; case '%': VSB_putc(sb, '%'); @@ -285,17 +294,19 @@ mgt_VccCompile(struct cli *cli, const char *vclname, const char *vclsrc, VSB_printf(sb, "vcl_%s", vclname); AZ(VSB_finish(sb)); - VJ_make_vcldir(VSB_data(sb)); + vp.dir = strdup(VSB_data(sb)); + AN(vp.dir); + VJ_make_vcldir(vp.dir); VSB_clear(sb); - VSB_printf(sb, "vcl_%s/vgc.c", vclname); + VSB_printf(sb, "%s/%s", vp.dir, VGC_SRC); AZ(VSB_finish(sb)); vp.srcfile = strdup(VSB_data(sb)); AN(vp.srcfile); VSB_clear(sb); - VSB_printf(sb, "vcl_%s/vgc.so", vclname); + VSB_printf(sb, "%s/%s", vp.dir, VGC_LIB); AZ(VSB_finish(sb)); vp.libfile = strdup(VSB_data(sb)); AN(vp.srcfile); @@ -311,6 +322,8 @@ mgt_VccCompile(struct cli *cli, const char *vclname, const char *vclsrc, (void)unlink(vp.srcfile); free(vp.srcfile); + free(vp.dir); + if (status || C_flag) { (void)unlink(vp.libfile); free(vp.libfile); diff --git a/bin/varnishd/mgt/mgt_vcl.c b/bin/varnishd/mgt/mgt_vcl.c index 743b57f..1926c04 100644 --- a/bin/varnishd/mgt/mgt_vcl.c +++ b/bin/varnishd/mgt/mgt_vcl.c @@ -96,7 +96,7 @@ mgt_vcl_del(struct vclprog *vp) XXXAZ(unlink(vp->fname)); bprintf(dn, "vcl_%s", vp->name); VJ_master(JAIL_MASTER_FILE); - XXXAZ(rmdir(dn)); + (void)rmdir(dn); // compiler droppings, eg gcov VJ_master(JAIL_MASTER_LOW); free(vp->fname); free(vp->name); From nils.goroll at uplex.de Tue Apr 14 16:55:17 2015 From: nils.goroll at uplex.de (Nils Goroll) Date: Tue, 14 Apr 2015 18:55:17 +0200 Subject: [master] 95dca26 output the actual exit status and optional signal Message-ID: commit 95dca2632c30adff51fb28ffb6159c5373404125 Author: Nils Goroll Date: Tue Apr 14 18:21:42 2015 +0200 output the actual exit status and optional signal diff --git a/bin/varnishtest/vtc.c b/bin/varnishtest/vtc.c index 756c616..a956052 100644 --- a/bin/varnishtest/vtc.c +++ b/bin/varnishtest/vtc.c @@ -452,7 +452,9 @@ cmd_err_shell(CMD_ARGS) VSB_putc(vsb, c); } while (c != EOF); r = pclose(fp); - vtc_log(vl, 4, "Status = %d", r); + vtc_log(vl, 4, "Status = %d", WEXITSTATUS(r)); + if (WIFSIGNALED(r)) + vtc_log(vl, 4, "Signal = %d", WTERMSIG(r)); AZ(VSB_finish(vsb)); vtc_dump(vl, 4, "stdout", VSB_data(vsb), VSB_len(vsb)); if (strstr(VSB_data(vsb), av[1]) == NULL) From nils.goroll at uplex.de Tue Apr 14 16:55:17 2015 From: nils.goroll at uplex.de (Nils Goroll) Date: Tue, 14 Apr 2015 18:55:17 +0200 Subject: [master] 1bd283a fail err_shell test for exit status 0 Message-ID: commit 1bd283ab15ce44b8cf743f1eafc9bb98697fca74 Author: Nils Goroll Date: Tue Apr 14 18:26:04 2015 +0200 fail err_shell test for exit status 0 diff --git a/bin/varnishtest/vtc.c b/bin/varnishtest/vtc.c index a956052..c4c9fd5 100644 --- a/bin/varnishtest/vtc.c +++ b/bin/varnishtest/vtc.c @@ -455,6 +455,10 @@ cmd_err_shell(CMD_ARGS) vtc_log(vl, 4, "Status = %d", WEXITSTATUS(r)); if (WIFSIGNALED(r)) vtc_log(vl, 4, "Signal = %d", WTERMSIG(r)); + if (WEXITSTATUS(r) == 0) { + vtc_log(vl, 0, + "expected error from shell"); + } AZ(VSB_finish(vsb)); vtc_dump(vl, 4, "stdout", VSB_data(vsb), VSB_len(vsb)); if (strstr(VSB_data(vsb), av[1]) == NULL) From nils.goroll at uplex.de Tue Apr 14 16:55:17 2015 From: nils.goroll at uplex.de (Nils Goroll) Date: Tue, 14 Apr 2015 18:55:17 +0200 Subject: [master] ac69df7 varnishd -C on a bad vcl should exit with status 2 as it does without -C Message-ID: commit ac69df7db6ea97dc244df357e14013e720fe9801 Author: Nils Goroll Date: Tue Apr 14 18:54:44 2015 +0200 varnishd -C on a bad vcl should exit with status 2 as it does without -C diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 3622b12..f77ceb7 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -644,6 +644,7 @@ main(int argc, char * const *argv) if (b_arg != NULL || f_arg != NULL) { mgt_vcc_default(cli, b_arg, vcl, C_flag); if (C_flag) { + cli_check(cli); AZ(VSB_finish(cli->sb)); fprintf(stderr, "%s\n", VSB_data(cli->sb)); exit(0); diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c index 76df5e6..f350614 100644 --- a/bin/varnishd/mgt/mgt_vcc.c +++ b/bin/varnishd/mgt/mgt_vcc.c @@ -327,7 +327,7 @@ mgt_VccCompile(struct cli *cli, const char *vclname, const char *vclsrc, if (status || C_flag) { (void)unlink(vp.libfile); free(vp.libfile); - if (!C_flag) { + if (status) { VCLI_Out(cli, "VCL compilation failed"); VCLI_SetResult(cli, CLIS_PARAM); } diff --git a/bin/varnishtest/tests/a00009.vtc b/bin/varnishtest/tests/a00009.vtc index 13bd015..d76a6fe 100644 --- a/bin/varnishtest/tests/a00009.vtc +++ b/bin/varnishtest/tests/a00009.vtc @@ -3,6 +3,8 @@ varnishtest "Code coverage of VCL compiler and RSTdump etc" shell "${varnishd} -b 127.0.0.1:80 -C -n ${tmpdir} > /dev/null 2>&1" shell "${varnishd} -x dumprstparam > /dev/null 2>&1" shell "${varnishd} -x dumprstvsl > /dev/null 2>&1" +err_shell {VCL version declaration missing} "test -d ${tmpdir} || mkdir ${tmpdir} ; echo 'bad vcl' >${tmpdir}/t.vcl ; ${varnishd} -f ${tmpdir}/t.vcl -n ${tmpdir} 2>&1" +err_shell {VCL version declaration missing} "test -d ${tmpdir} || mkdir ${tmpdir} ; echo 'bad vcl' >${tmpdir}/t.vcl ; ${varnishd} -C -f ${tmpdir}/t.vcl -n ${tmpdir} 2>&1" err_shell {-spersistent has been deprecated} "${varnishd} -spersistent 2>&1" err_shell {Unknown jail method "xyz"} "${varnishd} -jxyz 2>&1" err_shell {-j must be the first argument} "${varnishd} -jnone -jxyz 2>&1" From phk at FreeBSD.org Tue Apr 14 20:48:22 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 14 Apr 2015 22:48:22 +0200 Subject: [master] db1a7ca Introduce a "workuser" subargument to -junix, which makes it possible to run the varnishd worker process as a different user than the VCC and CC subprocesses. Message-ID: commit db1a7ca80340dc17a3924437c1e76f45124ba7d9 Author: Poul-Henning Kamp Date: Tue Apr 14 20:46:11 2015 +0000 Introduce a "workuser" subargument to -junix, which makes it possible to run the varnishd worker process as a different user than the VCC and CC subprocesses. It is mandatory that the workuser has the same login group as the user subparamter. Recommended values for packaging: -junix,user=varnish "varnish" user has login group "varnish" -junix,workuser=vrun "vrun" user has login group "varnish" diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c index 8b989a8..7afc364 100644 --- a/bin/varnishd/mgt/mgt_jail_unix.c +++ b/bin/varnishd/mgt/mgt_jail_unix.c @@ -51,6 +51,11 @@ static gid_t vju_mgr_gid; static uid_t vju_uid; static gid_t vju_gid; static const char *vju_user; + +static uid_t vju_wrkuid; +static gid_t vju_wrkgid; +static const char *vju_wrkuser; + static gid_t vju_cc_gid; static int vju_cc_gid_set; @@ -79,6 +84,22 @@ vju_getuid(const char *arg) } static int +vju_getwrkuid(const char *arg) +{ + struct passwd *pw; + + pw = getpwnam(arg); + if (pw != NULL) { + vju_wrkuser = strdup(arg); + AN(vju_wrkuser); + vju_wrkuid = pw->pw_uid; + vju_wrkgid = pw->pw_gid; + } + endpwent(); + return (pw == NULL ? -1 : 0); +} + +static int vju_getccgid(const char *arg) { struct group *gr; @@ -121,6 +142,12 @@ vju_init(char **args) (*args) + 5); continue; } + if (!strncmp(*args, "workuser=", 9)) { + if (vju_getwrkuid((*args) + 9)) + ARGV_ERR("Unix jail: %s user not found.\n", + (*args) + 5); + continue; + } if (!strncmp(*args, "ccgroup=", 8)) { if (vju_getccgid((*args) + 8)) ARGV_ERR("Unix jail: %s group not found.\n", @@ -158,8 +185,14 @@ vju_subproc(enum jail_subproc_e jse) gid_t gid_list[NGID]; AZ(seteuid(0)); - AZ(setgid(vju_gid)); - AZ(initgroups(vju_user, vju_gid)); + if (vju_wrkuser != NULL && + (jse == JAIL_SUBPROC_VCLLOAD || jse == JAIL_SUBPROC_WORKER)) { + AZ(setgid(vju_wrkgid)); + AZ(initgroups(vju_wrkuser, vju_wrkgid)); + } else { + AZ(setgid(vju_gid)); + AZ(initgroups(vju_user, vju_gid)); + } if (jse == JAIL_SUBPROC_CC && vju_cc_gid_set) { /* Add the optional extra group for the C-compiler access */ @@ -169,7 +202,12 @@ vju_subproc(enum jail_subproc_e jse) AZ(setgroups(i, gid_list)); } - AZ(setuid(vju_uid)); + if (vju_wrkuser != NULL && + (jse == JAIL_SUBPROC_VCLLOAD || jse == JAIL_SUBPROC_WORKER)) { + AZ(setuid(vju_wrkuid)); + } else { + AZ(setuid(vju_uid)); + } #ifdef __linux__ /* diff --git a/bin/varnishd/mgt/mgt_vcc.c b/bin/varnishd/mgt/mgt_vcc.c index f350614..4ee4fc7 100644 --- a/bin/varnishd/mgt/mgt_vcc.c +++ b/bin/varnishd/mgt/mgt_vcc.c @@ -172,7 +172,7 @@ run_cc(void *priv) VSB_putc(sb, '%'); AZ(VSB_finish(sb)); - (void)umask(077); + (void)umask(027); (void)execl("/bin/sh", "/bin/sh", "-c", VSB_data(sb), (char*)0); VSB_delete(sb); // For flexelint } @@ -227,7 +227,7 @@ mgt_vcc_touchfile(const char *fn, struct vsb *sb) { int i; - i = open(fn, O_WRONLY|O_CREAT|O_TRUNC, 0600); + i = open(fn, O_WRONLY|O_CREAT|O_TRUNC, 0640); if (i < 0) { VSB_printf(sb, "Failed to create %s: %s", fn, strerror(errno)); return (2); diff --git a/bin/varnishtest/tests/j00001.vtc b/bin/varnishtest/tests/j00001.vtc new file mode 100644 index 0000000..25e6f3b --- /dev/null +++ b/bin/varnishtest/tests/j00001.vtc @@ -0,0 +1,24 @@ +varnishtest "Run worker with different uid in UNIX jail" + +# The "vrun" user must have login group "varnish" + +feature user_varnish +feature user_vrun +feature group_varnish +feature root + +server s1 { + rxreq + txresp +} -start + +varnish v1 \ + -jail "-junix,user=varnish,ccgroup=varnish,workuser=vrun" \ + -vcl+backend { +} -start + +client c1 { + txreq + rxresp + expect resp.status == 200 +} -run diff --git a/bin/varnishtest/tests/j00002.vtc b/bin/varnishtest/tests/j00002.vtc new file mode 100644 index 0000000..34165a5 --- /dev/null +++ b/bin/varnishtest/tests/j00002.vtc @@ -0,0 +1,8 @@ +varnishtest "-junix bad subarg handling" + +feature root + +err_shell "unknown sub-argument" "${varnishd} -junix,bla=foo 2>&1" +err_shell "user not found" "${varnishd} -junix,user=/// 2>&1" +err_shell "user not found" "${varnishd} -junix,workuser=/// 2>&1" +err_shell "group not found" "${varnishd} -junix,ccgroup=/// 2>&1" diff --git a/bin/varnishtest/vtc.c b/bin/varnishtest/vtc.c index c4c9fd5..89719e8 100644 --- a/bin/varnishtest/vtc.c +++ b/bin/varnishtest/vtc.c @@ -573,6 +573,10 @@ cmd_feature(CMD_ARGS) getpwnam("varnish") != NULL) continue; + if (!strcmp(av[i], "user_vrun") && + getpwnam("vrun") != NULL) + continue; + if (!strcmp(av[i], "group_varnish") && getgrnam("varnish") != NULL) continue; From phk at FreeBSD.org Tue Apr 14 23:02:38 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 15 Apr 2015 01:02:38 +0200 Subject: [master] cc27f9a Complain if -junix user and workuser have different login groups Message-ID: commit cc27f9aa9bd4e7b50534b602282846d505583a28 Author: Poul-Henning Kamp Date: Tue Apr 14 21:57:25 2015 +0000 Complain if -junix user and workuser have different login groups diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c index 7afc364..58eae00 100644 --- a/bin/varnishd/mgt/mgt_jail_unix.c +++ b/bin/varnishd/mgt/mgt_jail_unix.c @@ -160,6 +160,10 @@ vju_init(char **args) if (vju_user == NULL && vju_getuid(JAIL_USER)) ARGV_ERR("Unix jail: %s user not found.\n", JAIL_USER); + if (vju_wrkuser != NULL && vju_wrkgid != vju_gid) + ARGV_ERR("Unix jail: %s and %s have different login groups\n", + vju_user, vju_wrkuser); + /* Do an explicit JAIL_MASTER_LOW */ AZ(setegid(vju_gid)); AZ(seteuid(vju_uid)); From phk at FreeBSD.org Tue Apr 14 23:02:38 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 15 Apr 2015 01:02:38 +0200 Subject: [master] 191813f Test that -junix user/workuser have same login group Message-ID: commit 191813f61148f930859fae967e4e9ceca90a0d46 Author: Poul-Henning Kamp Date: Tue Apr 14 21:57:52 2015 +0000 Test that -junix user/workuser have same login group diff --git a/bin/varnishtest/tests/j00002.vtc b/bin/varnishtest/tests/j00002.vtc index 34165a5..cb58437 100644 --- a/bin/varnishtest/tests/j00002.vtc +++ b/bin/varnishtest/tests/j00002.vtc @@ -6,3 +6,4 @@ err_shell "unknown sub-argument" "${varnishd} -junix,bla=foo 2>&1" err_shell "user not found" "${varnishd} -junix,user=/// 2>&1" err_shell "user not found" "${varnishd} -junix,workuser=/// 2>&1" err_shell "group not found" "${varnishd} -junix,ccgroup=/// 2>&1" +err_shell "have different login groups" "${varnishd} -junix,workuser=root 2>&1" From nils.goroll at uplex.de Wed Apr 15 07:52:43 2015 From: nils.goroll at uplex.de (Nils Goroll) Date: Wed, 15 Apr 2015 09:52:43 +0200 Subject: [master] df3a54b tmpdir should always exist, start_test creates it. Message-ID: commit df3a54b2c650739b241e6afb9f1b51bce8959ac7 Author: Nils Goroll Date: Wed Apr 15 09:50:55 2015 +0200 tmpdir should always exist, start_test creates it. diff --git a/bin/varnishtest/tests/a00009.vtc b/bin/varnishtest/tests/a00009.vtc index d76a6fe..b2b63dc 100644 --- a/bin/varnishtest/tests/a00009.vtc +++ b/bin/varnishtest/tests/a00009.vtc @@ -3,8 +3,8 @@ varnishtest "Code coverage of VCL compiler and RSTdump etc" shell "${varnishd} -b 127.0.0.1:80 -C -n ${tmpdir} > /dev/null 2>&1" shell "${varnishd} -x dumprstparam > /dev/null 2>&1" shell "${varnishd} -x dumprstvsl > /dev/null 2>&1" -err_shell {VCL version declaration missing} "test -d ${tmpdir} || mkdir ${tmpdir} ; echo 'bad vcl' >${tmpdir}/t.vcl ; ${varnishd} -f ${tmpdir}/t.vcl -n ${tmpdir} 2>&1" -err_shell {VCL version declaration missing} "test -d ${tmpdir} || mkdir ${tmpdir} ; echo 'bad vcl' >${tmpdir}/t.vcl ; ${varnishd} -C -f ${tmpdir}/t.vcl -n ${tmpdir} 2>&1" +err_shell {VCL version declaration missing} "echo 'bad vcl' >${tmpdir}/t.vcl ; ${varnishd} -f ${tmpdir}/t.vcl -n ${tmpdir} 2>&1" +err_shell {VCL version declaration missing} "echo 'bad vcl' >${tmpdir}/t.vcl ; ${varnishd} -C -f ${tmpdir}/t.vcl -n ${tmpdir} 2>&1" err_shell {-spersistent has been deprecated} "${varnishd} -spersistent 2>&1" err_shell {Unknown jail method "xyz"} "${varnishd} -jxyz 2>&1" err_shell {-j must be the first argument} "${varnishd} -jnone -jxyz 2>&1" From phk at FreeBSD.org Wed Apr 15 12:02:59 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 15 Apr 2015 14:02:59 +0200 Subject: [master] a774a40 Make sure to not leave crumbs of the secret file in memory. Message-ID: commit a774a407c3e2c000a42a810d3d6e65c0789e785a Author: Poul-Henning Kamp Date: Wed Apr 15 07:17:53 2015 +0000 Make sure to not leave crumbs of the secret file in memory. diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index f77ceb7..9ddaece 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -319,7 +319,7 @@ make_secret(const char *dirname) char *fn; int fd; int i; - unsigned char buf[256]; + unsigned char b; assert(asprintf(&fn, "%s/_.secret", dirname) > 0); @@ -331,9 +331,10 @@ make_secret(const char *dirname) exit(1); } VRND_Seed(); - for (i = 0; i < sizeof buf; i++) - buf[i] = random() & 0xff; - assert(sizeof buf == write(fd, buf, sizeof buf)); + for (i = 0; i < 256; i++) { + b = random() & 0xff; + assert(1 == write(fd, &b, 1)); + } AZ(close(fd)); VJ_master(JAIL_MASTER_LOW); AZ(atexit(mgt_secret_atexit)); diff --git a/lib/libvarnish/cli_auth.c b/lib/libvarnish/cli_auth.c index a538f2b..d7b7bf2 100644 --- a/lib/libvarnish/cli_auth.c +++ b/lib/libvarnish/cli_auth.c @@ -43,7 +43,7 @@ VCLI_AuthResponse(int S_fd, const char *challenge, char response[CLI_AUTH_RESPONSE_LEN + 1]) { SHA256_CTX ctx; - uint8_t buf[BUFSIZ]; + uint8_t buf[SHA256_LEN]; int i; assert(CLI_AUTH_RESPONSE_LEN == (SHA256_LEN * 2)); @@ -52,8 +52,8 @@ VCLI_AuthResponse(int S_fd, const char *challenge, SHA256_Update(&ctx, challenge, 32); SHA256_Update(&ctx, "\n", 1); do { - i = read(S_fd, buf, sizeof buf); - if (i > 0) + i = read(S_fd, buf, 1); + if (i == 1) SHA256_Update(&ctx, buf, i); } while (i > 0); SHA256_Update(&ctx, challenge, 32); From phk at FreeBSD.org Wed Apr 15 12:02:59 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 15 Apr 2015 14:02:59 +0200 Subject: [master] e99742a Prefer /dev/random over /dev/urandom. Message-ID: commit e99742af53fbec57488722304e5f272e7f4e3471 Author: Poul-Henning Kamp Date: Wed Apr 15 11:31:21 2015 +0000 Prefer /dev/random over /dev/urandom. Close the connection if authentication fails. Syslog authentication failures. Use /dev/[u]random directly to create secret files. Fail creation if none of them are available. Always use "varnishd" as syslog identity, but append "/" + up to seven leading alphanumeric chars from the -i(dent) argument if available. diff --git a/bin/varnishd/mgt/mgt_cli.c b/bin/varnishd/mgt/mgt_cli.c index 74980a4..312cf8f 100644 --- a/bin/varnishd/mgt/mgt_cli.c +++ b/bin/varnishd/mgt/mgt_cli.c @@ -298,7 +298,9 @@ mcf_auth(struct cli *cli, const char *const *av, void *priv) VCLI_AuthResponse(fd, cli->challenge, buf); AZ(close(fd)); if (strcasecmp(buf, av[2])) { - mgt_cli_challenge(cli); + syslog(LOG_WARNING|LOG_AUTHPRIV, + "CLI Authentication failure from %s", cli->ident); + VCLI_SetResult(cli, CLIS_CLOSE); return; } cli->auth = MCF_AUTH; diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 9ddaece..91adc0d 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -299,7 +299,9 @@ cli_stdin_close(void *priv) } } -/*--------------------------------------------------------------------*/ +/*-------------------------------------------------------------------- + * Autogenerate a -S file using strong random bits from the kernel. + */ static void mgt_secret_atexit(void) @@ -317,25 +319,32 @@ static const char * make_secret(const char *dirname) { char *fn; - int fd; - int i; + int fdo; + int i, j; unsigned char b; + int fdi; assert(asprintf(&fn, "%s/_.secret", dirname) > 0); VJ_master(JAIL_MASTER_FILE); - fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0640); - if (fd < 0) { - fprintf(stderr, "Cannot create secret-file in %s (%s)\n", + fdo = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0640); + if (fdo < 0) + ARGV_ERR("Cannot create secret-file in %s (%s)\n", dirname, strerror(errno)); - exit(1); - } - VRND_Seed(); + + fdi = open("/dev/random", O_RDONLY); + if (fdi < 0) + fdi = open("/dev/urandom", O_RDONLY); + if (fdi < 0) + ARGV_ERR("No /dev/[u]random, cannot autogenerate -S file\n"); + for (i = 0; i < 256; i++) { - b = random() & 0xff; - assert(1 == write(fd, &b, 1)); + j = read(fdi, &b, 1); + assert(j == 1); + assert(1 == write(fdo, &b, 1)); } - AZ(close(fd)); + AZ(close(fdi)); + AZ(close(fdo)); VJ_master(JAIL_MASTER_LOW); AZ(atexit(mgt_secret_atexit)); return (fn); @@ -380,6 +389,36 @@ init_params(struct cli *cli) MCF_InitParams(cli); } + +/*--------------------------------------------------------------------*/ + +static void +identify(const char *i_arg) +{ + char id[17], *p; + int i; + + strcpy(id, "varnishd"); + + if (i_arg != NULL) { + if (strlen(i_arg) + 1 > sizeof heritage.identity) + ARGV_ERR("Identity (-i) name too long.\n"); + strncpy(heritage.identity, i_arg, sizeof heritage.identity); + i = strlen(id); + id[i++] = '/'; + for (; i + 1 < sizeof(id); i++) { + if (!isalnum(*i_arg)) + break; + id[i] = *i_arg++; + } + id[i] = '\0'; + } + p = strdup(id); + AN(p); + + openlog(p, LOG_PID, LOG_LOCAL0); +} + /*--------------------------------------------------------------------*/ int @@ -619,16 +658,7 @@ main(int argc, char * const *argv) if (VIN_N_Arg(n_arg, &heritage.name, &dirname, NULL) != 0) ARGV_ERR("Invalid instance (-n) name: %s\n", strerror(errno)); - if (i_arg != NULL) { - if (strlen(i_arg) + 1 > sizeof heritage.identity) - ARGV_ERR("Identity (-i) name too long.\n"); - strncpy(heritage.identity, i_arg, sizeof heritage.identity); - } - - if (n_arg != NULL) - openlog(n_arg, LOG_PID, LOG_LOCAL0); /* XXX: i_arg ? */ - else - openlog("varnishd", LOG_PID, LOG_LOCAL0); + identify(i_arg); VJ_make_workdir(dirname); diff --git a/lib/libvarnish/vrnd.c b/lib/libvarnish/vrnd.c index 02f3970..7c2cc2c 100644 --- a/lib/libvarnish/vrnd.c +++ b/lib/libvarnish/vrnd.c @@ -51,9 +51,9 @@ VRND_Seed(void) int fd; ssize_t sz; - fd = open("/dev/urandom", O_RDONLY); + fd = open("/dev/random", O_RDONLY); if (fd < 0) - fd = open("/dev/random", O_RDONLY); + fd = open("/dev/urandom", O_RDONLY); if (fd >= 0) { sz = read(fd, &seed, sizeof seed); AZ(close(fd)); From phk at FreeBSD.org Wed Apr 15 12:02:59 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 15 Apr 2015 14:02:59 +0200 Subject: [master] 3fa4046 Nitpicking for FlexeLint Message-ID: commit 3fa4046308b24103253de98baed6996f6bf2af7f Author: Poul-Henning Kamp Date: Wed Apr 15 12:01:50 2015 +0000 Nitpicking for FlexeLint diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 91adc0d..65395cb 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -406,7 +406,7 @@ identify(const char *i_arg) strncpy(heritage.identity, i_arg, sizeof heritage.identity); i = strlen(id); id[i++] = '/'; - for (; i + 1 < sizeof(id); i++) { + for (; i < (sizeof(id) - 1L); i++) { if (!isalnum(*i_arg)) break; id[i] = *i_arg++; From phk at FreeBSD.org Wed Apr 15 21:21:31 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 15 Apr 2015 23:21:31 +0200 Subject: [master] a693b44 Implment Doc "The American" Wilco's suggestion and restrict shared memory access to require root or varnish group membership. Message-ID: commit a693b444719ff845449f8a75b7a3cedcf3e732f7 Author: Poul-Henning Kamp Date: Wed Apr 15 21:20:33 2015 +0000 Implment Doc "The American" Wilco's suggestion and restrict shared memory access to require root or varnish group membership. diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h index 410439e..86fcdee 100644 --- a/bin/varnishd/mgt/mgt.h +++ b/bin/varnishd/mgt/mgt.h @@ -86,7 +86,7 @@ typedef int jail_init_f(char **); typedef void jail_master_f(enum jail_master_e); typedef void jail_subproc_f(enum jail_subproc_e); typedef void jail_make_dir_f(const char *dname); -typedef void jail_storage_file_f(int fd); +typedef void jail_fixfile_f(int fd); struct jail_tech { unsigned magic; @@ -97,7 +97,8 @@ struct jail_tech { jail_subproc_f *subproc; jail_make_dir_f *make_workdir; jail_make_dir_f *make_vcldir; - jail_storage_file_f *storage_file; + jail_fixfile_f *vsm_file; + jail_fixfile_f *storage_file; }; void VJ_Init(const char *j_arg); @@ -105,7 +106,8 @@ void VJ_master(enum jail_master_e jme); void VJ_subproc(enum jail_subproc_e jse); void VJ_make_workdir(const char *dname); void VJ_make_vcldir(const char *dname); -void VJ_storage_file(int fd); +void VJ_fix_vsm_file(int fd); +void VJ_fix_storage_file(int fd); extern const struct jail_tech jail_tech_unix; extern const struct jail_tech jail_tech_solaris; diff --git a/bin/varnishd/mgt/mgt_jail.c b/bin/varnishd/mgt/mgt_jail.c index 260e6f6..d75cc3b 100644 --- a/bin/varnishd/mgt/mgt_jail.c +++ b/bin/varnishd/mgt/mgt_jail.c @@ -181,10 +181,19 @@ VJ_make_vcldir(const char *dname) } void -VJ_storage_file(int fd) +VJ_fix_storage_file(int fd) { CHECK_OBJ_NOTNULL(vjt, JAIL_TECH_MAGIC); if (vjt->storage_file != NULL) vjt->storage_file(fd); } + +void +VJ_fix_vsm_file(int fd) +{ + + CHECK_OBJ_NOTNULL(vjt, JAIL_TECH_MAGIC); + if (vjt->vsm_file != NULL) + vjt->vsm_file(fd); +} diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c index 58eae00..f800ffd 100644 --- a/bin/varnishd/mgt/mgt_jail_unix.c +++ b/bin/varnishd/mgt/mgt_jail_unix.c @@ -235,7 +235,17 @@ vju_make_vcldir(const char *dname) AZ(seteuid(vju_uid)); } -static void + +static void __match_proto__(jail_fixfile_f) +vju_vsm_file(int fd) +{ + /* Called under JAIL_MASTER_FILE */ + + AZ(fchmod(fd, 0640)); + AZ(fchown(fd, 0, vju_gid)); +} + +static void __match_proto__(jail_fixfile_f) vju_storage_file(int fd) { /* Called under JAIL_MASTER_STORAGE */ @@ -250,6 +260,7 @@ const struct jail_tech jail_tech_unix = { .init = vju_init, .master = vju_master, .make_vcldir = vju_make_vcldir, + .vsm_file = vju_vsm_file, .storage_file = vju_storage_file, .subproc = vju_subproc, }; diff --git a/bin/varnishd/mgt/mgt_shmem.c b/bin/varnishd/mgt/mgt_shmem.c index 7ac8a53..89a7935 100644 --- a/bin/varnishd/mgt/mgt_shmem.c +++ b/bin/varnishd/mgt/mgt_shmem.c @@ -151,12 +151,13 @@ vsm_zerofile(const char *fn, ssize_t size) int fd; int flags; - fd = flopen(fn, O_RDWR | O_CREAT | O_EXCL | O_NONBLOCK, 0644); + fd = flopen(fn, O_RDWR | O_CREAT | O_EXCL | O_NONBLOCK, 0640); if (fd < 0) { fprintf(stderr, "Could not create %s: %s\n", fn, strerror(errno)); return (-1); } + VJ_fix_vsm_file(fd); flags = fcntl(fd, F_GETFL); assert(flags != -1); flags &= ~O_NONBLOCK; diff --git a/bin/varnishd/storage/stevedore_utils.c b/bin/varnishd/storage/stevedore_utils.c index 80840cb..e5b727d 100644 --- a/bin/varnishd/storage/stevedore_utils.c +++ b/bin/varnishd/storage/stevedore_utils.c @@ -95,7 +95,7 @@ STV_GetFile(const char *fn, int *fdp, const char **fnp, const char *ctx) VJ_master(JAIL_MASTER_STORAGE); fd = open(fn, O_RDWR | O_CREAT | O_EXCL | O_LARGEFILE, 0600); if (fd >= 0) { - VJ_storage_file(fd); + VJ_fix_storage_file(fd); *fdp = fd; *fnp = fn; VJ_master(JAIL_MASTER_LOW); @@ -134,7 +134,7 @@ STV_GetFile(const char *fn, int *fdp, const char **fnp, const char *ctx) ctx, fn); *fdp = fd; - VJ_storage_file(fd); + VJ_fix_storage_file(fd); VJ_master(JAIL_MASTER_LOW); return (retval); } From phk at FreeBSD.org Wed Apr 15 22:04:12 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 16 Apr 2015 00:04:12 +0200 Subject: [master] 81868df Adopt Dridi's suggestion to call the worker process uid "vcache". Message-ID: commit 81868df7651b31e04d6935d7ad8ca42b5e52f6a5 Author: Poul-Henning Kamp Date: Wed Apr 15 22:03:44 2015 +0000 Adopt Dridi's suggestion to call the worker process uid "vcache". Also look for it automatically. diff --git a/bin/varnishd/mgt/mgt_jail_unix.c b/bin/varnishd/mgt/mgt_jail_unix.c index f800ffd..3b3ce12 100644 --- a/bin/varnishd/mgt/mgt_jail_unix.c +++ b/bin/varnishd/mgt/mgt_jail_unix.c @@ -59,8 +59,12 @@ static const char *vju_wrkuser; static gid_t vju_cc_gid; static int vju_cc_gid_set; -#ifndef JAIL_USER -#define JAIL_USER "varnish" +#ifndef VARNISH_USER +#define VARNISH_USER "varnish" +#endif + +#ifndef VCACHE_USER +#define VCACHE_USER "vcache" #endif #ifndef NGID @@ -123,46 +127,54 @@ vju_init(char **args) /* Autoconfig */ if (geteuid() != 0) return (1); - if (vju_getuid(JAIL_USER)) + if (vju_getuid(VARNISH_USER)) return (1); - AZ(setegid(vju_gid)); - AZ(seteuid(vju_uid)); - return (0); + } else { + + if (geteuid() != 0) + ARGV_ERR("Unix Jail: Must be root.\n"); + + for (;*args != NULL; args++) { + if (!strncmp(*args, "user=", 5)) { + if (vju_getuid((*args) + 5)) + ARGV_ERR( + "Unix jail: %s user not found.\n", + (*args) + 5); + continue; + } + if (!strncmp(*args, "workuser=", 9)) { + if (vju_getwrkuid((*args) + 9)) + ARGV_ERR( + "Unix jail: %s user not found.\n", + (*args) + 9); + continue; + } + if (!strncmp(*args, "ccgroup=", 8)) { + if (vju_getccgid((*args) + 8)) + ARGV_ERR( + "Unix jail: %s group not found.\n", + (*args) + 8); + continue; + } + ARGV_ERR("Unix jail: unknown sub-argument '%s'\n", + *args); + } + + if (vju_user == NULL && vju_getuid(VARNISH_USER)) + ARGV_ERR("Unix jail: %s user not found.\n", + VARNISH_USER); } - if (geteuid() != 0) - ARGV_ERR("Unix Jail: Must be root.\n"); + AN(vju_user); vju_mgr_gid = getgid(); - for (;*args != NULL; args++) { - if (!strncmp(*args, "user=", 5)) { - if (vju_getuid((*args) + 5)) - ARGV_ERR("Unix jail: %s user not found.\n", - (*args) + 5); - continue; - } - if (!strncmp(*args, "workuser=", 9)) { - if (vju_getwrkuid((*args) + 9)) - ARGV_ERR("Unix jail: %s user not found.\n", - (*args) + 5); - continue; - } - if (!strncmp(*args, "ccgroup=", 8)) { - if (vju_getccgid((*args) + 8)) - ARGV_ERR("Unix jail: %s group not found.\n", - (*args) + 8); - continue; - } - ARGV_ERR("Unix jail: unknown sub-argument '%s'\n", *args); - } - - if (vju_user == NULL && vju_getuid(JAIL_USER)) - ARGV_ERR("Unix jail: %s user not found.\n", JAIL_USER); + if (vju_wrkuser == NULL) + (void)vju_getwrkuid(VCACHE_USER); if (vju_wrkuser != NULL && vju_wrkgid != vju_gid) - ARGV_ERR("Unix jail: %s and %s have different login groups\n", - vju_user, vju_wrkuser); + ARGV_ERR("Unix jail: user %s and %s have " + "different login groups\n", vju_user, vju_wrkuser); /* Do an explicit JAIL_MASTER_LOW */ AZ(setegid(vju_gid)); diff --git a/bin/varnishtest/tests/j00001.vtc b/bin/varnishtest/tests/j00001.vtc index 25e6f3b..dc53e56 100644 --- a/bin/varnishtest/tests/j00001.vtc +++ b/bin/varnishtest/tests/j00001.vtc @@ -3,7 +3,7 @@ varnishtest "Run worker with different uid in UNIX jail" # The "vrun" user must have login group "varnish" feature user_varnish -feature user_vrun +feature user_vcache feature group_varnish feature root @@ -13,7 +13,7 @@ server s1 { } -start varnish v1 \ - -jail "-junix,user=varnish,ccgroup=varnish,workuser=vrun" \ + -jail "-junix,user=varnish,ccgroup=varnish,workuser=vcache" \ -vcl+backend { } -start diff --git a/bin/varnishtest/vtc.c b/bin/varnishtest/vtc.c index 89719e8..ad93240 100644 --- a/bin/varnishtest/vtc.c +++ b/bin/varnishtest/vtc.c @@ -573,8 +573,8 @@ cmd_feature(CMD_ARGS) getpwnam("varnish") != NULL) continue; - if (!strcmp(av[i], "user_vrun") && - getpwnam("vrun") != NULL) + if (!strcmp(av[i], "user_vcache") && + getpwnam("vcache") != NULL) continue; if (!strcmp(av[i], "group_varnish") && From fgsch at lodoss.net Wed Apr 15 22:53:11 2015 From: fgsch at lodoss.net (Federico G. Schwindt) Date: Thu, 16 Apr 2015 00:53:11 +0200 Subject: [master] be54de8 varnishstat -f takes a single field Message-ID: commit be54de83f9b7817ac9bbec7c33837b1caee004d2 Author: Federico G. Schwindt Date: Wed Apr 15 23:45:15 2015 +0100 varnishstat -f takes a single field To specify multiple fields you can use more than one -f. diff --git a/bin/varnishstat/varnishstat.c b/bin/varnishstat/varnishstat.c index bd0beee..cfa819f 100644 --- a/bin/varnishstat/varnishstat.c +++ b/bin/varnishstat/varnishstat.c @@ -250,11 +250,11 @@ usage(void) { #define FMT " %-28s # %s\n" fprintf(stderr, "usage: varnishstat " - "[-1lV] [-f field_list] " + "[-1lV] [-f field] " VSC_n_USAGE " " "[-w delay]\n"); fprintf(stderr, FMT, "-1", "Print the statistics to stdout."); - fprintf(stderr, FMT, "-f field_list", "Field inclusion glob"); + fprintf(stderr, FMT, "-f field", "Field inclusion glob"); fprintf(stderr, FMT, "", "If it starts with '^' it is used as an exclusion list"); fprintf(stderr, FMT, "-l", diff --git a/doc/sphinx/reference/varnishstat.rst b/doc/sphinx/reference/varnishstat.rst index 47d597e..8bef6e6 100644 --- a/doc/sphinx/reference/varnishstat.rst +++ b/doc/sphinx/reference/varnishstat.rst @@ -15,7 +15,7 @@ Varnish Cache statistics SYNOPSIS ======== -varnishstat [-1] [-x] [-j] [-f field_list] [-l] [-n varnish_name] [-N filename] [-V] [-w delay] +varnishstat [-1] [-x] [-j] [-f field] [-l] [-n varnish_name] [-N filename] [-V] [-w delay] .. TODO: autogenerate this synopsis like the others. From fgsch at lodoss.net Wed Apr 15 22:53:11 2015 From: fgsch at lodoss.net (Federico G. Schwindt) Date: Thu, 16 Apr 2015 00:53:11 +0200 Subject: [master] 2cb8068 call and return are not functions but keywords Message-ID: commit 2cb80687d6b4f4be7a524ee606296784eed48296 Author: Federico G. Schwindt Date: Wed Apr 15 23:50:09 2015 +0100 call and return are not functions but keywords Remove them from the function list. They are mentioned somewhere else in this document. Prompted after dridi@ spotted the invalid syntax in call. diff --git a/doc/sphinx/reference/vcl.rst b/doc/sphinx/reference/vcl.rst index 88ac1fe..2246dd6 100644 --- a/doc/sphinx/reference/vcl.rst +++ b/doc/sphinx/reference/vcl.rst @@ -241,7 +241,7 @@ Probes will query the backend for status on a regular basis and mark the backend as down it they fail. A probe is defined as this:: probe name { - .attribute = "value"; + .attribute = "value"; } There are no mandatory options. These are the options you can set: @@ -375,9 +375,6 @@ ban(expression) Invalidates all objects in cache that match the expression with the ban mechanism. -call(subroutine) - Run a VCL subroutine within the current scope. - hash_data(input) Adds an input to the hash input. In the built-in VCL hash_data() is called on the host and URL of the *request*. Available in vcl_hash. @@ -385,10 +382,6 @@ hash_data(input) new() Instanciate a new VCL object. Available in vcl_init. -return() - End execution of the current VCL subroutine, and continue to the next step - in the request handling state machine. - rollback() Restore *req* HTTP headers to their original state. This function is deprecated. Use std.rollback() instead. From phk at FreeBSD.org Thu Apr 16 07:07:39 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 16 Apr 2015 09:07:39 +0200 Subject: [master] ef8f969 Harmless off by one Message-ID: commit ef8f969ee32bc1bdbb7c4931b8cd714ac3832143 Author: Poul-Henning Kamp Date: Thu Apr 16 07:07:25 2015 +0000 Harmless off by one Spotted by: Coverity diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 65395cb..25906f5 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -401,7 +401,7 @@ identify(const char *i_arg) strcpy(id, "varnishd"); if (i_arg != NULL) { - if (strlen(i_arg) + 1 > sizeof heritage.identity) + if (strlen(i_arg) + 1 >= sizeof heritage.identity) ARGV_ERR("Identity (-i) name too long.\n"); strncpy(heritage.identity, i_arg, sizeof heritage.identity); i = strlen(id); From phk at FreeBSD.org Thu Apr 16 07:17:04 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 16 Apr 2015 09:17:04 +0200 Subject: [master] 4a334d7 Insignificant memory leak spotted by Coverity Message-ID: commit 4a334d7dca6d9215aaffc3e012ec74c71126e4f0 Author: Poul-Henning Kamp Date: Thu Apr 16 07:16:45 2015 +0000 Insignificant memory leak spotted by Coverity diff --git a/bin/varnishd/mgt/mgt_acceptor.c b/bin/varnishd/mgt/mgt_acceptor.c index 6d3c240..b85c391 100644 --- a/bin/varnishd/mgt/mgt_acceptor.c +++ b/bin/varnishd/mgt/mgt_acceptor.c @@ -196,6 +196,7 @@ MAC_Arg(const char *arg) error = VSS_resolver(av[1], "80", mac_callback, mh, &err); if (mh->good == 0 || err != NULL) ARGV_ERR("Could not bind to address %s: %s\n", av[1], err); + VAV_Free(av); AZ(error); FREE_OBJ(mh); } From phk at FreeBSD.org Thu Apr 16 07:18:49 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 16 Apr 2015 09:18:49 +0200 Subject: [master] 3aaf69f Compat for platforms without LOG_AUTHPRIV Message-ID: commit 3aaf69fc01c916492812a7a863c746459ee19c51 Author: Poul-Henning Kamp Date: Thu Apr 16 07:18:38 2015 +0000 Compat for platforms without LOG_AUTHPRIV diff --git a/bin/varnishd/mgt/mgt_cli.c b/bin/varnishd/mgt/mgt_cli.c index 312cf8f..bdbc47a 100644 --- a/bin/varnishd/mgt/mgt_cli.c +++ b/bin/varnishd/mgt/mgt_cli.c @@ -59,6 +59,10 @@ #include "mgt_cli.h" +#ifndef LOG_AUTHPRIV +# define LOG_AUTHPRIV +#endif + static int cli_i = -1, cli_o = -1; static struct VCLS *cls; static const char *secret_file; From phk at FreeBSD.org Thu Apr 16 08:23:29 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 16 Apr 2015 10:23:29 +0200 Subject: [master] 13ddb03 Duh! Message-ID: commit 13ddb03ffb34ec20e0c633ba3245f843fff099e2 Author: Poul-Henning Kamp Date: Thu Apr 16 08:23:17 2015 +0000 Duh! diff --git a/bin/varnishd/mgt/mgt_cli.c b/bin/varnishd/mgt/mgt_cli.c index bdbc47a..f618d5c 100644 --- a/bin/varnishd/mgt/mgt_cli.c +++ b/bin/varnishd/mgt/mgt_cli.c @@ -60,7 +60,7 @@ #include "mgt_cli.h" #ifndef LOG_AUTHPRIV -# define LOG_AUTHPRIV +# define LOG_AUTHPRIV 0 #endif static int cli_i = -1, cli_o = -1; From phk at FreeBSD.org Thu Apr 16 10:20:49 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 16 Apr 2015 12:20:49 +0200 Subject: [master] 96d556a Removing files at exit is best effort Message-ID: commit 96d556a9e8d818e8fc99b6a33d7b9ed491520a75 Author: Poul-Henning Kamp Date: Thu Apr 16 10:20:35 2015 +0000 Removing files at exit is best effort diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 25906f5..88b7e75 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -311,7 +311,7 @@ mgt_secret_atexit(void) if (getpid() != mgt_pid) return; VJ_master(JAIL_MASTER_FILE); - AZ(unlink("_.secret")); + (void)unlink("_.secret"); VJ_master(JAIL_MASTER_LOW); } From phk at FreeBSD.org Thu Apr 16 10:35:49 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 16 Apr 2015 12:35:49 +0200 Subject: [master] c217f49 Turn cli write failuers into vtc_log(0) rather than asserts Message-ID: commit c217f497a17b976260775da1037e873775d4897f Author: Poul-Henning Kamp Date: Thu Apr 16 10:35:32 2015 +0000 Turn cli write failuers into vtc_log(0) rather than asserts diff --git a/bin/varnishtest/vtc_varnish.c b/bin/varnishtest/vtc_varnish.c index 490171e..7f87479 100644 --- a/bin/varnishtest/vtc_varnish.c +++ b/bin/varnishtest/vtc_varnish.c @@ -33,6 +33,7 @@ #include #include +#include #include #include #include @@ -96,9 +97,13 @@ varnish_ask_cli(const struct varnish *v, const char *cmd, char **repl) if (cmd != NULL) { vtc_dump(v->vl, 4, "CLI TX", cmd, -1); i = write(v->cli_fd, cmd, strlen(cmd)); - assert(i == strlen(cmd)); + if (i != strlen(cmd)) + vtc_log(v->vl, 0, "CLI write failed (%s) = %u %s", + cmd, errno, strerror(errno)); i = write(v->cli_fd, "\n", 1); - assert(i == 1); + if (i != 1) + vtc_log(v->vl, 0, "CLI write failed (%s) = %u %s", + cmd, errno, strerror(errno)); } i = VCLI_ReadResult(v->cli_fd, &retval, &r, 30.0); if (i != 0) { From martin at varnish-software.com Thu Apr 16 14:12:19 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Thu, 16 Apr 2015 16:12:19 +0200 Subject: [master] 27cc6ff Do not use VNUM() in varnishncsa Message-ID: commit 27cc6ff616be68407a633fb925ed661638b93b7c Author: Martin Blix Grydeland Date: Thu Apr 16 16:10:41 2015 +0200 Do not use VNUM() in varnishncsa The strings in varnishncsa are not necessarily null-terminated, but having a start and an end pointer. The VNUM() thus fails when not seeing the end of string null character, causing parsing failures. diff --git a/bin/varnishncsa/varnishncsa.c b/bin/varnishncsa/varnishncsa.c index ce30191..257a39d 100644 --- a/bin/varnishncsa/varnishncsa.c +++ b/bin/varnishncsa/varnishncsa.c @@ -59,7 +59,6 @@ #include "vas.h" #include "vdef.h" #include "vcs.h" -#include "vnum.h" #include "vsb.h" #include "vut.h" #include "vqueue.h" @@ -285,13 +284,16 @@ static int __match_proto__(format_f) format_time(const struct format *format) { double t_start, t_end; + char *p; char buf[64]; time_t t; struct tm tm; CHECK_OBJ_NOTNULL(format, FORMAT_MAGIC); if (CTX.frag[F_tstart].gen == CTX.gen) { - t_start = VNUM(CTX.frag[F_tstart].b); + t_start = strtod(CTX.frag[F_tstart].b, &p); + if (p != CTX.frag[F_tstart].e) + t_start = NAN; } else t_start = NAN; if (isnan(t_start)) { @@ -304,8 +306,8 @@ format_time(const struct format *format) /* Missing t_end defaults to t_start */ if (CTX.frag[F_tend].gen == CTX.gen) { - t_end = VNUM(CTX.frag[F_tend].b); - if (isnan(t_end)) + t_end = strtod(CTX.frag[F_tend].b, &p); + if (p != CTX.frag[F_tend].e) t_end = t_start; } else t_end = t_start; From martin at varnish-software.com Wed Apr 22 09:09:09 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Wed, 22 Apr 2015 11:09:09 +0200 Subject: [master] dff71c6 Transaction limit 0 doesn't make any sense, enforce -L > 0 Message-ID: commit dff71c6c8f65927ff1b56e6ff645f68747351e12 Author: Martin Blix Grydeland Date: Wed Apr 22 11:03:41 2015 +0200 Transaction limit 0 doesn't make any sense, enforce -L > 0 Also do not assert on empty incomplete list even though VTX count is larger than L. This can happen when a complete multi-transaction result is still unreported. Original patch by Geoff Simmons (Uplex) diff --git a/lib/libvarnishapi/vsl_arg.c b/lib/libvarnishapi/vsl_arg.c index 24483c9..e6b2b89 100644 --- a/lib/libvarnishapi/vsl_arg.c +++ b/lib/libvarnishapi/vsl_arg.c @@ -343,7 +343,7 @@ VSL_Arg(struct VSL_data *vsl, int opt, const char *arg) p++; if (*p != '\0') return (vsl_diag(vsl, "-L: Syntax error")); - if (l < 0 || l > INT_MAX) + if (l <= 0 || l > INT_MAX) return (vsl_diag(vsl, "-L: Range error")); vsl->L_opt = (int)l; return (1); diff --git a/lib/libvarnishapi/vsl_dispatch.c b/lib/libvarnishapi/vsl_dispatch.c index 1e4a617..f03f932 100644 --- a/lib/libvarnishapi/vsl_dispatch.c +++ b/lib/libvarnishapi/vsl_dispatch.c @@ -1344,7 +1344,8 @@ VSLQ_Dispatch(struct VSLQ *vslq, VSLQ_dispatch_f *func, void *priv) } /* Check store limit */ - while (vslq->n_outstanding > vslq->vsl->L_opt) { + while (vslq->n_outstanding > vslq->vsl->L_opt && + !(VTAILQ_EMPTY(&vslq->incomplete))) { vtx = VTAILQ_FIRST(&vslq->incomplete); CHECK_OBJ_NOTNULL(vtx, VTX_MAGIC); vtx_force(vslq, vtx, "store overflow"); From martin at varnish-software.com Wed Apr 22 09:09:09 2015 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Wed, 22 Apr 2015 11:09:09 +0200 Subject: [master] aa51d11 vsl.h requires stdint.h - include it Message-ID: commit aa51d111acb9bc4ffe580b8959615d46db0151fc Author: Martin Blix Grydeland Date: Wed Apr 22 11:08:18 2015 +0200 vsl.h requires stdint.h - include it PAtch by: Geoff Simmons (Uplex) diff --git a/include/vapi/vsl.h b/include/vapi/vsl.h index d87b304..cebbb46 100644 --- a/include/vapi/vsl.h +++ b/include/vapi/vsl.h @@ -34,6 +34,8 @@ #ifndef VAPI_VSL_H_INCLUDED #define VAPI_VSL_H_INCLUDED +#include + #include "vapi/vsl_int.h" struct VSM_data; From phk at FreeBSD.org Mon Apr 27 07:50:24 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Mon, 27 Apr 2015 09:50:24 +0200 Subject: [master] be2d073 Make the VCL cold/warm/auto state handling more consistent. Message-ID: commit be2d0739f1a2e1cc5fb8a277ffec21f270ed7181 Author: Poul-Henning Kamp Date: Mon Apr 27 07:48:14 2015 +0000 Make the VCL cold/warm/auto state handling more consistent. diff --git a/bin/varnishd/mgt/mgt_vcl.c b/bin/varnishd/mgt/mgt_vcl.c index 1926c04..278dd9d 100644 --- a/bin/varnishd/mgt/mgt_vcl.c +++ b/bin/varnishd/mgt/mgt_vcl.c @@ -114,20 +114,6 @@ mgt_vcl_byname(const char *name) return (NULL); } - -static int -mgt_vcl_delbyname(const char *name) -{ - struct vclprog *vp; - - vp = mgt_vcl_byname(name); - if (vp != NULL) { - mgt_vcl_del(vp); - return (0); - } - return (1); -} - int mgt_has_vcl(void) { @@ -143,6 +129,7 @@ mgt_vcl_setstate(struct vclprog *vp, int warm) char *p; if (warm == -1) { + assert(vp != active_vcl); now = VTIM_mono(); warm = vp->warm; if (vp->go_cold > 0 && !strcmp(vp->state, "auto") && @@ -245,6 +232,7 @@ mgt_push_vcls_and_start(unsigned *status, char **p) struct vclprog *vp; AN(active_vcl); + mgt_vcl_setstate(active_vcl, 1); VTAILQ_FOREACH(vp, &vclhead, list) { if (mgt_cli_askchild(status, p, "vcl.load \"%s\" %s %d%s\n", vp->name, vp->fname, vp->warm, vp->state)) @@ -333,7 +321,10 @@ mcf_vcl_state(struct cli *cli, const char * const *av, void *priv) if (!strcmp(av[3], "auto")) { bprintf(vp->state, "%s", "auto"); - mgt_vcl_setstate(vp, -1); + if (vp != active_vcl) { + vp->go_cold = VTIM_mono(); + mgt_vcl_setstate(vp, -1); + } } else if (!strcmp(av[3], "cold")) { if (vp == active_vcl) { VCLI_Out(cli, "Cannot set the active VCL cold."); @@ -356,7 +347,7 @@ mcf_vcl_use(struct cli *cli, const char * const *av, void *priv) { unsigned status; char *p = NULL; - struct vclprog *vp; + struct vclprog *vp, *vp2; (void)priv; vp = mcf_find_vcl(cli, av[2]); @@ -369,11 +360,16 @@ mcf_vcl_use(struct cli *cli, const char * const *av, void *priv) mgt_cli_askchild(&status, &p, "vcl.use %s\n", av[2])) { VCLI_SetResult(cli, status); VCLI_Out(cli, "%s", p); + vp->go_cold = VTIM_mono(); + mgt_vcl_setstate(vp, -1); } else { VCLI_Out(cli, "VCL '%s' now active", av[2]); - if (active_vcl != NULL) - active_vcl->go_cold = VTIM_mono(); + vp2 = active_vcl; active_vcl = vp; + if (vp2 != NULL) { + vp2->go_cold = VTIM_mono(); + mgt_vcl_setstate(vp2, -1); + } } free(p); } @@ -387,21 +383,20 @@ mcf_vcl_discard(struct cli *cli, const char * const *av, void *priv) (void)priv; vp = mcf_find_vcl(cli, av[2]); + if (vp == NULL) + return; if (vp == active_vcl) { VCLI_SetResult(cli, CLIS_PARAM); VCLI_Out(cli, "Cannot discard active VCL program\n"); - } else if (vp != NULL) { - mgt_vcl_setstate(vp, 0); - if (child_pid >= 0 && - mgt_cli_askchild(&status, &p, - "vcl.discard %s\n", av[2])) { - VCLI_SetResult(cli, status); - VCLI_Out(cli, "%s", p); - } else { - AZ(mgt_vcl_delbyname(av[2])); - } + return; } - free(p); + mgt_vcl_setstate(vp, 0); + if (child_pid >= 0) { + /* If this fails the child is crashing, figure that later */ + (void)mgt_cli_askchild(&status, &p, "vcl.discard %s\n", av[2]); + free(p); + } + mgt_vcl_del(vp); } void @@ -439,8 +434,10 @@ mgt_vcl_poker(const struct vev *e, int what) (void)e; (void)what; e_poker->timeout = mgt_param.vcl_cooldown * .45; - VTAILQ_FOREACH(vp, &vclhead, list) - mgt_vcl_setstate(vp, -1); + VTAILQ_FOREACH(vp, &vclhead, list) { + if (vp != active_vcl) + mgt_vcl_setstate(vp, -1); + } return (0); } From phk at FreeBSD.org Tue Apr 28 08:02:11 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 28 Apr 2015 10:02:11 +0200 Subject: [master] 562909b Log the first line of the string we're executing to make it easier to correlate the test-case with the output. Message-ID: commit 562909b84b30cd3c45518d5cd246316db5149bd7 Author: Poul-Henning Kamp Date: Tue Apr 28 08:01:30 2015 +0000 Log the first line of the string we're executing to make it easier to correlate the test-case with the output. diff --git a/bin/varnishtest/vtc.c b/bin/varnishtest/vtc.c index ad93240..168423c 100644 --- a/bin/varnishtest/vtc.c +++ b/bin/varnishtest/vtc.c @@ -51,7 +51,6 @@ #define MAX_TOKENS 200 -static char *vtc_desc; volatile sig_atomic_t vtc_error; /* Error encountered */ int vtc_stop; /* Stops current test without error */ pthread_t vtc_thread; @@ -276,6 +275,9 @@ parse_string(char *buf, const struct cmds *cmd, void *priv, struct vtclog *vl) /* Start of line */ if (isspace(*p)) continue; + if (*p == '\n') + continue; + if (*p == '#') { for (; *p != '\0' && *p != '\n'; p++) ; @@ -284,6 +286,14 @@ parse_string(char *buf, const struct cmds *cmd, void *priv, struct vtclog *vl) continue; } + q = strchr(p, '\n'); + if (q == NULL) + q = strchr(p, '\0'); + if (q - p > 60) + vtc_log(vl, 2, "=== %.60s...", p); + else + vtc_log(vl, 2, "=== %.*s", (int)(q - p), p); + /* First content on line, collect tokens */ tn = 0; f = p; @@ -362,7 +372,6 @@ parse_string(char *buf, const struct cmds *cmd, void *priv, struct vtclog *vl) vtc_log(vl, 0, "Unknown command: \"%s\"", token_s[0]); return; } - vtc_log(vl, 3, "%s", token_s[0]); assert(cp->cmd != NULL); cp->cmd(token_s, priv, cmd, vl); @@ -399,7 +408,6 @@ cmd_varnishtest(CMD_ARGS) vtc_log(vl, 1, "TEST %s", av[1]); AZ(av[2]); - vtc_desc = strdup(av[1]); } /********************************************************************** @@ -648,7 +656,6 @@ exec_file(const char *fn, const char *script, const char *tmpdir, AZ(fclose(f)); vtc_stop = 0; - vtc_desc = NULL; vtc_log(vltop, 1, "TEST %s starting", fn); p = strdup(script); @@ -667,6 +674,5 @@ exec_file(const char *fn, const char *script, const char *tmpdir, else vtc_log(vltop, 1, "TEST %s completed", fn); - free(vtc_desc); return (vtc_error); } From phk at FreeBSD.org Tue Apr 28 08:49:51 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 28 Apr 2015 10:49:51 +0200 Subject: [master] 18eee95 Try disabling PTHREAD_MUTEX_ERRORCHECK on __APPLE__ platforms. Message-ID: commit 18eee95dbc605f9b110eb2b11be434979d3308af Author: Poul-Henning Kamp Date: Tue Apr 28 08:49:33 2015 +0000 Try disabling PTHREAD_MUTEX_ERRORCHECK on __APPLE__ platforms. diff --git a/bin/varnishd/cache/cache_lck.c b/bin/varnishd/cache/cache_lck.c index 5c094f1..1231e1b 100644 --- a/bin/varnishd/cache/cache_lck.c +++ b/bin/varnishd/cache/cache_lck.c @@ -55,8 +55,7 @@ struct ilck { static pthread_mutexattr_t attr; -static VTAILQ_HEAD(, ilck) ilck_head = - VTAILQ_HEAD_INITIALIZER(ilck_head); +static VTAILQ_HEAD(, ilck) ilck_head = VTAILQ_HEAD_INITIALIZER(ilck_head); static pthread_mutex_t lck_mtx; @@ -210,7 +209,9 @@ LCK_Init(void) { AZ(pthread_mutexattr_init(&attr)); +#if !defined(__APPLE__) AZ(pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK)); +#endif AZ(pthread_mutex_init(&lck_mtx, &attr)); #define LOCK(nam) \ lck_##nam = VSM_Alloc(sizeof(struct VSC_C_lck), \ From phk at FreeBSD.org Tue Apr 28 09:07:07 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 28 Apr 2015 11:07:07 +0200 Subject: [master] a27af9f Fix an oversight: The correct and systematic thing is for vcl_hit{} to return(miss) rather than return(fetch). Message-ID: commit a27af9f8f286f1d7a38b91928426685a1f33493f Author: Poul-Henning Kamp Date: Tue Apr 28 09:05:44 2015 +0000 Fix an oversight: The correct and systematic thing is for vcl_hit{} to return(miss) rather than return(fetch). For now return(fetch) is still allowed, we don't want to bump vcl version for something this trivial, but it emits a SLT_VCL_Error urging people to change their VCL. Fixes #1603 diff --git a/bin/varnishd/builtin.vcl b/bin/varnishd/builtin.vcl index 6ead64e..3ebe9ce 100644 --- a/bin/varnishd/builtin.vcl +++ b/bin/varnishd/builtin.vcl @@ -109,7 +109,7 @@ sub vcl_hit { return (deliver); } // fetch & deliver once we get the result - return (fetch); + return (miss); } sub vcl_miss { diff --git a/bin/varnishd/cache/cache_req_fsm.c b/bin/varnishd/cache/cache_req_fsm.c index 54c2b5c..f695ad5 100644 --- a/bin/varnishd/cache/cache_req_fsm.c +++ b/bin/varnishd/cache/cache_req_fsm.c @@ -362,6 +362,10 @@ cnt_lookup(struct worker *wrk, struct req *req) req->req_step = R_STP_DELIVER; return (REQ_FSM_MORE); case VCL_RET_FETCH: + VSLb(req->vsl, SLT_VCL_Error, + "change return(fetch) to return(hit) in vcl_hit{}"); + /* FALL-THROUGH */ + case VCL_RET_MISS: if (boc != NULL) { req->objcore = boc; req->stale_oc = oc; diff --git a/bin/varnishtest/tests/r01335.vtc b/bin/varnishtest/tests/r01335.vtc index 8a34d5b..85ff372 100644 --- a/bin/varnishtest/tests/r01335.vtc +++ b/bin/varnishtest/tests/r01335.vtc @@ -10,7 +10,7 @@ server s1 { varnish v1 -vcl+backend { sub vcl_hit { if (req.http.two == "2") { - return (fetch); + return (fetch); // also #1603 } } } -start diff --git a/lib/libvcc/generate.py b/lib/libvcc/generate.py index 19da0e0..2c1226f 100755 --- a/lib/libvcc/generate.py +++ b/lib/libvcc/generate.py @@ -108,7 +108,7 @@ returns =( ), ('hit', "C", - ('synth', 'restart', 'pass', 'fetch', 'deliver',) + ('synth', 'restart', 'pass', 'fetch', 'miss', 'deliver',) ), ('deliver', "C", From nils.goroll at uplex.de Tue Apr 28 09:45:39 2015 From: nils.goroll at uplex.de (Nils Goroll) Date: Tue, 28 Apr 2015 11:45:39 +0200 Subject: [master] ec31ef4 leave a sticky note Message-ID: commit ec31ef49187a5c09f55ac166258217a241a2251a Author: Nils Goroll Date: Tue Apr 28 11:45:25 2015 +0200 leave a sticky note diff --git a/lib/libvcc/vcc_parse.c b/lib/libvcc/vcc_parse.c index e235090..510a03f 100644 --- a/lib/libvcc/vcc_parse.c +++ b/lib/libvcc/vcc_parse.c @@ -284,6 +284,8 @@ vcc_ParseDirector(struct vcc *tl) } /*-------------------------------------------------------------------- + * TODO when bumping the vcl version: + * #1603 remove return(fetch) from vcl_hit{} */ static void @@ -298,6 +300,7 @@ vcc_ParseVcl(struct vcc *tl) ver = vcc_DoubleVal(tl); ERRCHK(tl); if (ver != 4.0) { + // see TODO above VSB_printf(tl->sb, "VCL version %.1f not supported.\n", ver); vcc_ErrWhere(tl, tok); ERRCHK(tl); From nils.goroll at uplex.de Tue Apr 28 10:06:15 2015 From: nils.goroll at uplex.de (Nils Goroll) Date: Tue, 28 Apr 2015 12:06:15 +0200 Subject: [master] d454fc1 Typo Message-ID: commit d454fc1a2675844fa2c5b015a5b4cf0bfdbc9730 Author: Nils Goroll Date: Tue Apr 28 12:06:04 2015 +0200 Typo Fixes #1603 diff --git a/bin/varnishd/cache/cache_req_fsm.c b/bin/varnishd/cache/cache_req_fsm.c index f695ad5..d8ade2d 100644 --- a/bin/varnishd/cache/cache_req_fsm.c +++ b/bin/varnishd/cache/cache_req_fsm.c @@ -363,7 +363,7 @@ cnt_lookup(struct worker *wrk, struct req *req) return (REQ_FSM_MORE); case VCL_RET_FETCH: VSLb(req->vsl, SLT_VCL_Error, - "change return(fetch) to return(hit) in vcl_hit{}"); + "change return(fetch) to return(miss) in vcl_hit{}"); /* FALL-THROUGH */ case VCL_RET_MISS: if (boc != NULL) { From nils.goroll at uplex.de Tue Apr 28 10:14:01 2015 From: nils.goroll at uplex.de (Nils Goroll) Date: Tue, 28 Apr 2015 12:14:01 +0200 Subject: [master] bf5e38e Update docs: vcl_hit{} return(miss) Message-ID: commit bf5e38e60b8dbba055ccdea6a3d90b977302e1fd Author: Nils Goroll Date: Tue Apr 28 12:12:58 2015 +0200 Update docs: vcl_hit{} return(miss) Fixes #1603 diff --git a/doc/graphviz/cache_req_fsm.dot b/doc/graphviz/cache_req_fsm.dot index 5856984..4f934da 100644 --- a/doc/graphviz/cache_req_fsm.dot +++ b/doc/graphviz/cache_req_fsm.dot @@ -120,7 +120,7 @@ digraph cache_req_fsm { ] lookup2 [ shape=record - label="{cnt_lookup:|{vcl_hit\{\}|{req.*|obj.*}}|{deliver|fetch|restart|synth|pass}}" + label="{cnt_lookup:|{vcl_hit\{\}|{req.*|obj.*}}|{deliver|miss|restart|synth|pass}}" ] } lookup:busy:e -> lookup:top:e [label="(waitinglist)", @@ -131,9 +131,9 @@ digraph cache_req_fsm { lookup:h:s -> lookup2 [style=bold,color=green] lookup2:deliver:s -> deliver:n [style=bold,color=green] - lookup2:fetch:s -> miss [style=bold,color=blue] + lookup2:miss:s -> miss [style=bold,color=blue] // XXX should not happen - // lookup2:fetch:s -> pass [style=bold,color=red,label="(no busy obj)"] + // lookup2:miss:s -> pass [style=bold,color=red,label="(no busy obj)"] lookup2:pass:s -> pass [style=bold,color=red] /* cnt_miss */ diff --git a/doc/sphinx/users-guide/vcl-built-in-subs.rst b/doc/sphinx/users-guide/vcl-built-in-subs.rst index 8b00232..a1eba28 100644 --- a/doc/sphinx/users-guide/vcl-built-in-subs.rst +++ b/doc/sphinx/users-guide/vcl-built-in-subs.rst @@ -111,7 +111,7 @@ with one of the following keywords: Deliver the object. If it is stale, a background fetch to refresh it is triggered. - ``fetch`` + ``miss`` Synchronously refresh the object from the backend despite the cache hit. Control will eventually pass to :ref:`vcl_miss`. @@ -127,7 +127,9 @@ with one of the following keywords: Transition to :ref:`vcl_synth` with ``resp.status`` and ``resp.reason`` being preset to the arguments of ``synth()``. -.. XXX: #1603 hit should not go to miss + ``fetch`` (deprecated) + same as ``miss``. Will get removed in a future version, triggers a + VCL_Error log message. .. _vcl_miss: From phk at FreeBSD.org Tue Apr 28 10:14:27 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 28 Apr 2015 12:14:27 +0200 Subject: [master] e4cdc7f Use consistent test for OSX Message-ID: commit e4cdc7fca33832206b9f54a965edb0fa84fbe155 Author: Poul-Henning Kamp Date: Tue Apr 28 10:13:35 2015 +0000 Use consistent test for OSX diff --git a/bin/varnishd/cache/cache_lck.c b/bin/varnishd/cache/cache_lck.c index 1231e1b..caac924 100644 --- a/bin/varnishd/cache/cache_lck.c +++ b/bin/varnishd/cache/cache_lck.c @@ -209,7 +209,7 @@ LCK_Init(void) { AZ(pthread_mutexattr_init(&attr)); -#if !defined(__APPLE__) +#if !defined(__APPLE__) && !defined(__MACH__) AZ(pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK)); #endif AZ(pthread_mutex_init(&lck_mtx, &attr)); From phk at FreeBSD.org Tue Apr 28 11:34:46 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 28 Apr 2015 13:34:46 +0200 Subject: [master] 79d1c54 A new, updated SSL rant. Message-ID: commit 79d1c54ccafd8920e208ea3c433281cbb120c843 Author: Poul-Henning Kamp Date: Tue Apr 28 11:34:34 2015 +0000 A new, updated SSL rant. diff --git a/doc/sphinx/phk/index.rst b/doc/sphinx/phk/index.rst index 3cef4af..425d4e5 100644 --- a/doc/sphinx/phk/index.rst +++ b/doc/sphinx/phk/index.rst @@ -8,6 +8,7 @@ You may or may not want to know what Poul-Henning thinks. .. toctree:: :maxdepth: 1 + ssl_again.rst persistent.rst dough.rst wanton_destruction.rst diff --git a/doc/sphinx/phk/ssl_again.rst b/doc/sphinx/phk/ssl_again.rst new file mode 100644 index 0000000..ba4ecf1 --- /dev/null +++ b/doc/sphinx/phk/ssl_again.rst @@ -0,0 +1,154 @@ +.. _phk_ssl_again: + +============= +SSL revisited +============= + +Four years ago, I wrote a rant about why Varnish has no SSL support +(:ref:`phk_ssl`) and the upcoming 4.1 release is good excuse to +revisit that issue. + +A SSL/TLS library +~~~~~~~~~~~~~~~~~ + +In 2011 I critized OpenSSL's source-code as being a nightmare, +and as much as I Hate To Say I Told You So, I Told You So: See also +"HeartBleed". + +The good news is that HeartBleed made people realize that FOSS +maintainers also have mortgages and hungry kids. + +Various initiatives have been launched to make prevent critical +infrastructure software from being maintained sunday evening between +11 and 12PM by a sleep-deprived and overworked parent, worried about +about being able to pay the bills come the next month. + +We're not there yet, but it's certainly getting better. + +However, implementing TLS and SSL is stil insanely complex, and +thanks to Edward Snowdens whistle-blowing, we have very good reasons +to belive that didn't happen by accident. + +The issue of finding a good TLS/SSL implementation is still the +same and I still don't see one I would want my name associated with. + +OpenBSD's LibreSSL is certainly a step in a right direction, but +time will show if it is viable in the long run -- they do have +a tendency to be -- "SQUIRREL!!" -- distracted. + +Handling Certificates +~~~~~~~~~~~~~~~~~~~~~ + +I still don't see a way to do that. The Varnish worker-process is not +built to compartementalize bits at a cryptographic level and making it +do that would be a non-trivial undertaking. + +But there is new loop-hole here. +One night, waiting for my flight home in Oslo airport, I went though +the entire TLS/SSL handshake process to see if there were anything +one could do, and I realized that you can actually terminate TLS/SSL +without holding the certificate, provided you can ask some process +which does to do a tiny bit of work. + +The next morning `CloudFlare announced the very same thing`_: + +.. _CloudFlare announced the very same thing: https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/ + +This could conceiveably be a way to terminate TLS/SSL in the Varnish-worker +process, while keeping the most valuable crypto-bits away from it. + +But it's still a bad idea +~~~~~~~~~~~~~~~~~~~~~~~~~ + +As I write this, the news that `apps with 350 million downloads`_ in total +are (still) vulnerable to some SSL/TLS Man-In-The-Middle attack is doing the +rounds. + +.. _apps with 350 million downloads: http://arstechnica.com/security/2015/04/27/android-apps-still-suffer-game-over-https-defects-7-months-later/ + +Code is hard, crypto code is double-plus-hard, if not double-squared-hard, +and the world really don't need another piece of code that does an +half-assed job at cryptography. + +If I, or somebody else, were to implement SSL/TLS in Varnish, it would +talk at least half a year to bring the code to a point where I would be +willing to show it to the world. + +Until I get my time-machine working, that half year would be taken +away of other Varnish development, so the result had better be worth +it: If it isn't, we have just increased the total attack-surface +and bug-probability for no better reason than "me too!". + +When I look at something like Willy Tarreau's `HAProxy`_ I have a +hard time to see any significant opportunity for improvement. + +.. _HAProxy: http://www.haproxy.org/ + + +Conclusion +~~~~~~~~~~ + +No, Varnish still won't add SSL/TLS support. + +Instead in Varnish 4.1 we have added support for Willys `PROXY`_ +protocol which makes it possible to communicate the extra details +from a SSL-terminating proxy, such as `HAProxy`_, to Varnish. + +.. _PROXY: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt + +From a security point of view, this is also much better solution +than having SSL/TLS integrated in Varnish. + +When (not if!) the SSL/TLS proxy you picked is compromised by a +possibly planted software bug, you can pick another one to replace +it, without loosing all the benefits of Varnish. + +That idea is called the "Software Tools Principle", it's a very old +idea, but it is still one of the best we have. + + +Political PostScript +~~~~~~~~~~~~~~~~~~~~ + +I realize that the above is a pretty strange stance to take in the +current "SSL Everywhere" political climate. + +I'm not too thrilled about the "SSL Everywhere" idea, for a large +number of reasons. + +The most obvious example is that you don't want to bog down your +countrys civil defence agency with SSL/TLS protocol negotiations, +if their website is being deluged by people trying to survive a +natural disaster. + +The next big issue is that there are people who do not have a right +to privacy. In many countries this includes children, prisoners, +stock-traders, flight-controllers, first responders and so on. + +SSL Everywhere will force institutions to either block any internet +connectivity or impose Man-in-The-Middle proxies to comply with +legal requirements of logging and inspection. A clear step in +the wrong direction in my view. + +But one of the biggest problem I have with SSL Everywhere is that +it gives privacy to the actors I think deserve it the least. + +Again and again shady behaviour of big transnational, and therefore +law-less, companies have been exposed by security researchers (or +just interested lay-people) who ran tcpdump. snort or similar traffic +capture programs and saw what went on. + +Remember all the different kind of "magic cookies" used to track +users across the web, against their wish and against laws and regulations ? + +Pretty much all of those were exposed with trivial packet traces. + +With SSL Everywhere, these actors get much more privacy to invade +the privacy of every human being with an internet connection, because +it takes a lot more skill to look into a SSL connection than a +plaintext HTTP connection. + +"Sunshine is said to be the best of disinfectantants" wrote supreme +court justice Brandeis, SSL Everywhere puts all traffic in the shade. + +Poul-Henning, 2015-04-28 From phk at FreeBSD.org Tue Apr 28 14:14:13 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Tue, 28 Apr 2015 16:14:13 +0200 Subject: [master] 2200493 Get the field order right for PROXYv1 Message-ID: commit 22004936371ff45d3cbdb8feffdcd88994dd2090 Author: Poul-Henning Kamp Date: Tue Apr 28 14:13:53 2015 +0000 Get the field order right for PROXYv1 Fixes #1727 diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c index 299777f..6ddcae5 100644 --- a/bin/varnishd/proxy/cache_proxy_proto.c +++ b/bin/varnishd/proxy/cache_proxy_proto.c @@ -110,7 +110,7 @@ vpx_proto1(const struct worker *wrk, struct req *req) hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV; - i = getaddrinfo(fld[1], fld[2], &hints, &res); + i = getaddrinfo(fld[1], fld[3], &hints, &res); if (i != 0) { VSLb(req->vsl, SLT_ProxyGarbage, "PROXY1: Cannot resolve source address (%s)", @@ -131,7 +131,7 @@ vpx_proto1(const struct worker *wrk, struct req *req) SES_Set_String_Attr(req->sp, SA_CLIENT_PORT, fld[2]); freeaddrinfo(res); - i = getaddrinfo(fld[3], fld[4], &hints, &res); + i = getaddrinfo(fld[2], fld[4], &hints, &res); if (i != 0) { VSLb(req->vsl, SLT_ProxyGarbage, "PROXY1: Cannot resolve destination address (%s)", @@ -151,7 +151,7 @@ vpx_proto1(const struct worker *wrk, struct req *req) freeaddrinfo(res); VSLb(req->vsl, SLT_Proxy, "1 %s %s %s %s", - fld[1], fld[2], fld[3], fld[4]); + fld[1], fld[3], fld[2], fld[4]); req->htc->pipeline_b = q; return (0); } diff --git a/bin/varnishtest/tests/o00000.vtc b/bin/varnishtest/tests/o00000.vtc index ef535e2..6af0abc 100644 --- a/bin/varnishtest/tests/o00000.vtc +++ b/bin/varnishtest/tests/o00000.vtc @@ -71,14 +71,14 @@ client c1 { delay .1 client c1 { - send "PROXY TCP4 1.2.3.4 1234 D E\r\n" + send "PROXY TCP4 1.2.3.4 D 1234 E\r\n" timeout 8 expect_close } -run delay .1 client c1 { - send "PROXY TCP4 1.2.3.4 1234 5.6.7.8 E\r\n" + send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 E\r\n" timeout 8 expect_close } -run @@ -106,21 +106,21 @@ client c1 { delay .1 client c1 { - send "PROXY TCP6 1:f::2 1234 5:a::8 E\r\n" + send "PROXY TCP6 1:f::2 5:a::8 1234 E\r\n" timeout 8 expect_close } -run delay .1 client c1 { - send "PROXY TCP4 1:f::2 1234 5:a::8 5678\r\n" + send "PROXY TCP4 1:f::2 5:a::8 1234 5678\r\n" timeout 8 expect_close } -run delay .1 client c1 { - send "PROXY TCP6 1.2.3.4 1234 5.6.7.8 5678\r\n" + send "PROXY TCP6 1.2.3.4 5.6.7.8 1234 5678\r\n" timeout 8 expect_close } -run @@ -128,7 +128,7 @@ delay .1 # Finally try something which works... client c1 { - send "PROXY TCP4 1.2.3.4 1234 5.6.7.8 5678\r\n" + send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\r\n" txreq rxresp expect resp.http.ci == "1.2.3.4" @@ -143,7 +143,7 @@ client c1 { delay .1 client c1 { - send "PROXY TCP6 1:f::2 1234 5:a::8 5678\r\n" + send "PROXY TCP6 1:f::2 5:a::8 1234 5678\r\n" txreq rxresp expect resp.http.ci == "1:f::2" From daghf at varnish-software.com Tue Apr 28 14:35:19 2015 From: daghf at varnish-software.com (Dag Haavi Finstad) Date: Tue, 28 Apr 2015 16:35:19 +0200 Subject: [master] fd80d9d PROXY1: Avoid AN() on malformed input. Message-ID: commit fd80d9d6da43150443fc96d4c9158ce539f15ee8 Author: Dag Haavi Finstad Date: Tue Apr 28 16:35:07 2015 +0200 PROXY1: Avoid AN() on malformed input. diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c index 6ddcae5..caae7eb 100644 --- a/bin/varnishd/proxy/cache_proxy_proto.c +++ b/bin/varnishd/proxy/cache_proxy_proto.c @@ -66,7 +66,8 @@ vpx_proto1(const struct worker *wrk, struct req *req) VSL(SLT_Debug, req->sp->fd, "PROXY1"); q = strchr(req->htc->rxbuf_b, '\r'); - AN(q); + if (!q) + return (-1); *q++ = '\0'; /* Nuke the CRNL */ diff --git a/bin/varnishtest/tests/o00000.vtc b/bin/varnishtest/tests/o00000.vtc index 6af0abc..2018225 100644 --- a/bin/varnishtest/tests/o00000.vtc +++ b/bin/varnishtest/tests/o00000.vtc @@ -157,3 +157,9 @@ client c1 { } -run delay .1 +# Malformed (missing \r) +client c1 { + send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\n" + expect_close +} -run +delay .1 From daghf at varnish-software.com Tue Apr 28 19:32:46 2015 From: daghf at varnish-software.com (Dag Haavi Finstad) Date: Tue, 28 Apr 2015 21:32:46 +0200 Subject: [master] ddabce6 Whitespace. Message-ID: commit ddabce6d1f6ce4729ad404df49fa0288e68f1c62 Author: Dag Haavi Finstad Date: Tue Apr 28 21:31:42 2015 +0200 Whitespace. diff --git a/bin/varnishtest/tests/o00000.vtc b/bin/varnishtest/tests/o00000.vtc index 2018225..0b8e6e1 100644 --- a/bin/varnishtest/tests/o00000.vtc +++ b/bin/varnishtest/tests/o00000.vtc @@ -159,7 +159,7 @@ delay .1 # Malformed (missing \r) client c1 { - send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\n" - expect_close + send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\n" + expect_close } -run delay .1 From phk at FreeBSD.org Wed Apr 29 09:44:40 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 29 Apr 2015 11:44:40 +0200 Subject: [master] 2387054 Latch error values returned from any VDP function, making sure that all subsequent calls to VDP_bytes() becomes noops. This allows calling code to allow calling VDP_bytes() again even if a previous call returned error. Message-ID: commit 238705413c44c21c5ec91e890e34e1b0c1331066 Author: Poul-Henning Kamp Date: Wed Apr 29 09:42:50 2015 +0000 Latch error values returned from any VDP function, making sure that all subsequent calls to VDP_bytes() becomes noops. This allows calling code to allow calling VDP_bytes() again even if a previous call returned error. Submitted by: Martin Fixes #1642 PS: I have given up writing a test-case /phk diff --git a/bin/varnishd/cache/cache.h b/bin/varnishd/cache/cache.h index e2207c0..b9c1dd7 100644 --- a/bin/varnishd/cache/cache.h +++ b/bin/varnishd/cache/cache.h @@ -616,6 +616,7 @@ struct req { /* Deliver pipeline */ struct vdp_entry_s vdp; struct vdp_entry *vdp_nxt; + unsigned vdp_errval; /* Transaction VSL buffer */ struct vsl_log vsl[1]; diff --git a/bin/varnishd/cache/cache_deliver_proc.c b/bin/varnishd/cache/cache_deliver_proc.c index a3701a9..a74b41f 100644 --- a/bin/varnishd/cache/cache_deliver_proc.c +++ b/bin/varnishd/cache/cache_deliver_proc.c @@ -40,6 +40,8 @@ VDP_bytes(struct req *req, enum vdp_action act, const void *ptr, ssize_t len) CHECK_OBJ_NOTNULL(req, REQ_MAGIC); assert(act == VDP_NULL || act == VDP_FLUSH); + if (req->vdp_errval) + return (req->vdp_errval); vdp = req->vdp_nxt; CHECK_OBJ_NOTNULL(vdp, VDP_ENTRY_MAGIC); req->vdp_nxt = VTAILQ_NEXT(vdp, list); @@ -47,6 +49,8 @@ VDP_bytes(struct req *req, enum vdp_action act, const void *ptr, ssize_t len) assert(act > VDP_NULL || len > 0); /* Call the present layer, while pointing to the next layer down */ retval = vdp->func(req, act, &vdp->priv, ptr, len); + if (retval) + req->vdp_errval = retval; /* Latch error value */ req->vdp_nxt = vdp; return (retval); } From phk at FreeBSD.org Wed Apr 29 13:13:04 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 29 Apr 2015 15:13:04 +0200 Subject: [master] bbb0506 HTC_S_OVERFLOW is a valid response from the "are_we_there_yet" function. Message-ID: commit bbb050698cee6dd180893786f9596e8b36d51e6d Author: Poul-Henning Kamp Date: Wed Apr 29 13:08:47 2015 +0000 HTC_S_OVERFLOW is a valid response from the "are_we_there_yet" function. diff --git a/bin/varnishd/cache/cache_session.c b/bin/varnishd/cache/cache_session.c index 33cad6b..6391cd7 100644 --- a/bin/varnishd/cache/cache_session.c +++ b/bin/varnishd/cache/cache_session.c @@ -259,6 +259,10 @@ SES_RxReq(const struct worker *wrk, struct req *req, htc_complete_f *func) return (HTC_S_OVERFLOW); } hs = func(req->htc); + if (hs == HTC_S_OVERFLOW) { + WS_ReleaseP(req->htc->ws, req->htc->rxbuf_b); + return (HTC_S_OVERFLOW); + } if (hs == HTC_S_JUNK) { WS_ReleaseP(req->htc->ws, req->htc->rxbuf_b); return (HTC_S_JUNK); From phk at FreeBSD.org Wed Apr 29 13:13:04 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 29 Apr 2015 15:13:04 +0200 Subject: [master] 93c62b3 Get the PROXY1 length check right, it is only the length until the first \n which is limited. Message-ID: commit 93c62b30fb5384d7a0110f45445d6c20088023c8 Author: Poul-Henning Kamp Date: Wed Apr 29 13:10:33 2015 +0000 Get the PROXY1 length check right, it is only the length until the first \n which is limited. Fixes #1728 diff --git a/bin/varnishd/proxy/cache_proxy_proto.c b/bin/varnishd/proxy/cache_proxy_proto.c index caae7eb..1026c04 100644 --- a/bin/varnishd/proxy/cache_proxy_proto.c +++ b/bin/varnishd/proxy/cache_proxy_proto.c @@ -66,7 +66,7 @@ vpx_proto1(const struct worker *wrk, struct req *req) VSL(SLT_Debug, req->sp->fd, "PROXY1"); q = strchr(req->htc->rxbuf_b, '\r'); - if (!q) + if (q == NULL) return (-1); *q++ = '\0'; @@ -298,7 +298,7 @@ static enum htc_status_e __match_proto__(htc_complete_f) vpx_complete(struct http_conn *htc) { int i, l, j; - char *p; + char *p, *q; CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC); AZ(htc->pipeline_b); @@ -315,9 +315,10 @@ vpx_complete(struct http_conn *htc) if (j == 0) return (HTC_S_JUNK); if (j == 1 && i == sizeof vpx1_sig) { - if (l > 107) + q = strchr(p + i, '\n'); + if (q != NULL && (q - htc->rxbuf_b) > 107) return (HTC_S_OVERFLOW); - if (strchr(p + i, '\n') == NULL) + if (q == NULL) return (HTC_S_MORE); return (HTC_S_COMPLETE); } From phk at FreeBSD.org Wed Apr 29 13:13:04 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Wed, 29 Apr 2015 15:13:04 +0200 Subject: [master] fc41c5c Add more to the PROXY1 bestiarium Message-ID: commit fc41c5cf4035089a97a53aa357b96bd98b7e6d1e Author: Poul-Henning Kamp Date: Wed Apr 29 13:12:48 2015 +0000 Add more to the PROXY1 bestiarium diff --git a/bin/varnishtest/tests/o00000.vtc b/bin/varnishtest/tests/o00000.vtc index 0b8e6e1..0cb518a 100644 --- a/bin/varnishtest/tests/o00000.vtc +++ b/bin/varnishtest/tests/o00000.vtc @@ -2,8 +2,15 @@ varnishtest "PROXY1 protocol tests" server s1 { rxreq + expect req.http.X-Forwarded-For == 1.2.3.4 txresp + + rxreq + expect req.http.X-Forwarded-For == 1:f::2 + txresp + rxreq + expect req.http.X-Forwarded-For == 1:f::3 txresp } -start @@ -11,6 +18,7 @@ varnish v1 -proto "PROXY" -vcl+backend { import ${vmod_std}; sub vcl_deliver { + set resp.http.url = req.url; set resp.http.li = local.ip; set resp.http.lp = std.port(local.ip); set resp.http.ri = remote.ip; @@ -129,8 +137,9 @@ delay .1 # Finally try something which works... client c1 { send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\r\n" - txreq + txreq -url /1 rxresp + expect resp.http.url == "/1" expect resp.http.ci == "1.2.3.4" expect resp.http.cp == "1234" expect resp.http.si == "5.6.7.8" @@ -144,8 +153,9 @@ delay .1 client c1 { send "PROXY TCP6 1:f::2 5:a::8 1234 5678\r\n" - txreq + txreq -url /2 rxresp + expect resp.http.url == "/2" expect resp.http.ci == "1:f::2" expect resp.http.cp == "1234" expect resp.http.si == "5:a::8" @@ -157,9 +167,40 @@ client c1 { } -run delay .1 +# Try with appended request (See also: #1728) +client c1 { + send "PROXY TCP6 1:f::3 5:a::8 1234 5678\r\nGET /3 HTTP/1.1\r\nHdr1: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" + rxresp + expect resp.http.url == "/3" +} -run + # Malformed (missing \r) client c1 { send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678\n" expect_close } -run delay .1 + +# Malformed, too long (106) +# NB: Should check VSL for proper disposal +client c1 { + send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678 \r\n" + expect_close +} -run +delay .1 + +# Malformed, too long (107) +# NB: Should check VSL for proper disposal +client c1 { + send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678 \r\n" + expect_close +} -run +delay .1 + +# Malformed, too long (108) +# NB: Should check VSL for proper disposal +client c1 { + send "PROXY TCP4 1.2.3.4 5.6.7.8 1234 5678 \r\n" + expect_close +} -run +delay .1 From phk at FreeBSD.org Thu Apr 30 10:57:10 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 30 Apr 2015 12:57:10 +0200 Subject: [master] 5f1fab0 Now that it's clear there won't be a HTTP/1.2, and that HTTP/2.0 is an entirely different protocol, tighten up the version checks correspondingly. Message-ID: commit 5f1fab09409f6919fd227f726b7ad0bac9577a14 Author: Poul-Henning Kamp Date: Thu Apr 30 10:55:13 2015 +0000 Now that it's clear there won't be a HTTP/1.2, and that HTTP/2.0 is an entirely different protocol, tighten up the version checks correspondingly. Also reject HTTP variants prior to HTTP/1.0. diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c index bd8d4b1..bdfdf0d 100644 --- a/bin/varnishd/cache/cache_http.c +++ b/bin/varnishd/cache/cache_http.c @@ -641,7 +641,7 @@ http_DoConnection(struct http *hp) enum sess_close retval; unsigned u, v; - if (hp->protover < 11) + if (hp->protover == 10) retval = SC_REQ_HTTP10; else retval = SC_NULL; diff --git a/bin/varnishd/http1/cache_http1_deliver.c b/bin/varnishd/http1/cache_http1_deliver.c index c0eaeca..5db8754 100644 --- a/bin/varnishd/http1/cache_http1_deliver.c +++ b/bin/varnishd/http1/cache_http1_deliver.c @@ -131,7 +131,7 @@ V1D_Deliver(struct req *req, struct busyobj *bo) req->res_mode |= RES_LEN; if (req->wantbody && !(req->res_mode & RES_LEN)) { - if (req->http->protover >= 11) { + if (req->http->protover == 11) { req->res_mode |= RES_CHUNKED; http_SetHeader(req->resp, "Transfer-Encoding: chunked"); } else { diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c index c99ec30..29110fb 100644 --- a/bin/varnishd/http1/cache_http1_proto.c +++ b/bin/varnishd/http1/cache_http1_proto.c @@ -325,7 +325,7 @@ http1_proto_ver(struct http *hp) else if (!strcasecmp(hp->hd[HTTP_HDR_PROTO].b, "HTTP/1.1")) hp->protover = 11; else - hp->protover = 9; + hp->protover = 0; } /*--------------------------------------------------------------------*/ @@ -344,6 +344,8 @@ HTTP1_DissectRequest(struct http_conn *htc, struct http *hp) if (retval != 0) return (retval); http1_proto_ver(hp); + if (hp->protover == 0) + return (400); if (http_CountHdr(hp, H_Host) > 1) return (400); @@ -399,7 +401,7 @@ HTTP1_DissectResponse(struct http *hp, struct http_conn *htc) if (retval == 0) { http1_proto_ver(hp); - if (hp->protover != 10 && hp->protover != 11) + if (hp->protover == 0) retval = 503; } diff --git a/bin/varnishtest/tests/e00012.vtc b/bin/varnishtest/tests/e00012.vtc index cb0a9e4..8ee2eca 100644 --- a/bin/varnishtest/tests/e00012.vtc +++ b/bin/varnishtest/tests/e00012.vtc @@ -36,10 +36,4 @@ client c1 { expect resp.bodylen == 67 } -run -client c1 { - txreq -url /foo/bar -proto "" - rxresp - expect resp.status == 200 - expect resp.bodylen == 67 -} -run varnish v1 -expect esi_errors == 0 From phk at FreeBSD.org Thu Apr 30 11:24:04 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 30 Apr 2015 13:24:04 +0200 Subject: [master] 5e3eb0a Remove some old dead code and a inconsequential resource leak spotted by Coverity. Message-ID: commit 5e3eb0af4799bd516b8c9b8b649ef2b2b41d4150 Author: Poul-Henning Kamp Date: Thu Apr 30 11:23:39 2015 +0000 Remove some old dead code and a inconsequential resource leak spotted by Coverity. diff --git a/bin/varnishtest/vtc_http.c b/bin/varnishtest/vtc_http.c index 93ddf4e..6cb3d79 100644 --- a/bin/varnishtest/vtc_http.c +++ b/bin/varnishtest/vtc_http.c @@ -1331,7 +1331,7 @@ int http_process(struct vtclog *vl, const char *spec, int sock, int *sfd) { struct http *hp; - char *s, *q; + char *s; int retval; (void)sfd; @@ -1350,10 +1350,9 @@ http_process(struct vtclog *vl, const char *spec, int sock, int *sfd) AN(hp->vsb); s = strdup(spec); - q = strchr(s, '\0'); - assert(q > s); AN(s); parse_string(s, http_cmds, hp, vl); + free(s); retval = hp->fd; VSB_delete(hp->vsb); free(hp->rxbuf); From phk at FreeBSD.org Thu Apr 30 11:31:51 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 30 Apr 2015 13:31:51 +0200 Subject: [master] 20be063 We don't need to use strncpy() when we explicitly checked the length already. (This appearantly confuses Coverity ?) Message-ID: commit 20be063efb00c390f2586f5b4aff15d47461d337 Author: Poul-Henning Kamp Date: Thu Apr 30 11:31:13 2015 +0000 We don't need to use strncpy() when we explicitly checked the length already. (This appearantly confuses Coverity ?) diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index e0ad875..2544890 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -401,9 +401,9 @@ identify(const char *i_arg) strcpy(id, "varnishd"); if (i_arg != NULL) { - if (strlen(i_arg) + 1 >= sizeof heritage.identity) + if (strlen(i_arg) + 1 > sizeof heritage.identity) ARGV_ERR("Identity (-i) name too long.\n"); - strncpy(heritage.identity, i_arg, sizeof heritage.identity); + strcpy(heritage.identity, i_arg); i = strlen(id); id[i++] = '/'; for (; i < (sizeof(id) - 1L); i++) { From phk at FreeBSD.org Thu Apr 30 13:32:28 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 30 Apr 2015 15:32:28 +0200 Subject: [master] aeb1890 Long time no see... Message-ID: commit aeb18904af7ded3b36c112ecbb6563bfafbd1119 Author: Poul-Henning Kamp Date: Thu Apr 30 13:14:27 2015 +0000 Long time no see... diff --git a/bin/varnishtest/flint.lnt b/bin/varnishtest/flint.lnt index 79575ee..8ee39d2 100644 --- a/bin/varnishtest/flint.lnt +++ b/bin/varnishtest/flint.lnt @@ -1,4 +1,7 @@ +// vtc_log's arg2 acts like an assert +-function(__assert(1), vtc_log(2)) + -esym(850, av) -esym(528, iter_call) // Flexelint bug diff --git a/bin/varnishtest/flint.sh b/bin/varnishtest/flint.sh index bb3f5c7..45bbfd8 100755 --- a/bin/varnishtest/flint.sh +++ b/bin/varnishtest/flint.sh @@ -10,5 +10,4 @@ flexelint \ ../../flint.lnt \ ../flint.lnt \ flint.lnt \ - *.c \ - ../../lib/libvarnishapi/*.c + *.c From phk at FreeBSD.org Thu Apr 30 13:32:28 2015 From: phk at FreeBSD.org (Poul-Henning Kamp) Date: Thu, 30 Apr 2015 15:32:28 +0200 Subject: [master] ecddbee Move the necessary strdup() into parse_string and comment that we deliberately leak that copy, so the cmd functions we call don't have to worry about strdup'ing individual arguments. Message-ID: commit ecddbee089d1a00133971b8383d96406263376c9 Author: Poul-Henning Kamp Date: Thu Apr 30 13:14:53 2015 +0000 Move the necessary strdup() into parse_string and comment that we deliberately leak that copy, so the cmd functions we call don't have to worry about strdup'ing individual arguments. diff --git a/bin/varnishtest/vtc.c b/bin/varnishtest/vtc.c index 168423c..653045f 100644 --- a/bin/varnishtest/vtc.c +++ b/bin/varnishtest/vtc.c @@ -255,20 +255,28 @@ extmacro_def(const char *name, const char *fmt, ...) } /********************************************************************** - * Execute a file + * Parse a string + * + * We make a copy of the string and deliberately leak it, so that all + * the cmd functions we call don't have to strdup(3) all over the place. + * + * Static checkers like Coverity may bitch about this, but we don't care. */ void -parse_string(char *buf, const struct cmds *cmd, void *priv, struct vtclog *vl) +parse_string(const char *spec, const struct cmds *cmd, void *priv, + struct vtclog *vl) { char *token_s[MAX_TOKENS], *token_e[MAX_TOKENS]; struct vsb *token_exp[MAX_TOKENS]; - char *p, *q, *f; + char *p, *q, *f, *buf; int nest_brace; int tn; const struct cmds *cp; - assert(buf != NULL); + AN(spec); + buf = strdup(spec); + AN(buf); for (p = buf; *p != '\0'; p++) { if (vtc_error || vtc_stop) break; @@ -359,8 +367,9 @@ parse_string(char *buf, const struct cmds *cmd, void *priv, struct vtclog *vl) if (NULL == strstr(token_s[tn], "${")) continue; token_exp[tn] = macro_expand(vl, token_s[tn]); - if (vtc_error) + if (vtc_error) { return; + } token_s[tn] = VSB_data(token_exp[tn]); token_e[tn] = strchr(token_s[tn], '\0'); } @@ -619,7 +628,6 @@ exec_file(const char *fn, const char *script, const char *tmpdir, char *logbuf, unsigned loglen) { unsigned old_err; - char *p; FILE *f; struct extmacro *m; @@ -658,11 +666,8 @@ exec_file(const char *fn, const char *script, const char *tmpdir, vtc_stop = 0; vtc_log(vltop, 1, "TEST %s starting", fn); - p = strdup(script); - AN(p); - vtc_thread = pthread_self(); - parse_string(p, cmds, NULL, vltop); + parse_string(script, cmds, NULL, vltop); old_err = vtc_error; vtc_stop = 1; vtc_log(vltop, 1, "RESETTING after %s", fn); diff --git a/bin/varnishtest/vtc.h b/bin/varnishtest/vtc.h index 29f275a..7837052 100644 --- a/bin/varnishtest/vtc.h +++ b/bin/varnishtest/vtc.h @@ -54,7 +54,7 @@ struct cmds { cmd_f *cmd; }; -void parse_string(char *buf, const struct cmds *cmd, void *priv, +void parse_string(const char *spec, const struct cmds *cmd, void *priv, struct vtclog *vl); cmd_f cmd_delay; diff --git a/bin/varnishtest/vtc_http.c b/bin/varnishtest/vtc_http.c index 6cb3d79..229663d 100644 --- a/bin/varnishtest/vtc_http.c +++ b/bin/varnishtest/vtc_http.c @@ -1256,7 +1256,6 @@ cmd_http_loop(CMD_ARGS) { struct http *hp; unsigned n, m; - char *s; CAST_OBJ_NOTNULL(hp, priv, HTTP_MAGIC); AN(av[1]); @@ -1265,9 +1264,7 @@ cmd_http_loop(CMD_ARGS) n = strtoul(av[1], NULL, 0); for (m = 1 ; m <= n; m++) { vtc_log(vl, 4, "Loop #%u", m); - s = strdup(av[2]); - AN(s); - parse_string(s, cmd, hp, vl); + parse_string(av[2], cmd, hp, vl); } } @@ -1331,7 +1328,6 @@ int http_process(struct vtclog *vl, const char *spec, int sock, int *sfd) { struct http *hp; - char *s; int retval; (void)sfd; @@ -1349,10 +1345,7 @@ http_process(struct vtclog *vl, const char *spec, int sock, int *sfd) AN(hp->rxbuf); AN(hp->vsb); - s = strdup(spec); - AN(s); - parse_string(s, http_cmds, hp, vl); - free(s); + parse_string(spec, http_cmds, hp, vl); retval = hp->fd; VSB_delete(hp->vsb); free(hp->rxbuf); diff --git a/bin/varnishtest/vtc_logexp.c b/bin/varnishtest/vtc_logexp.c index 3afec94..b05470d 100644 --- a/bin/varnishtest/vtc_logexp.c +++ b/bin/varnishtest/vtc_logexp.c @@ -453,16 +453,11 @@ static const struct cmds logexp_cmds[] = { static void logexp_spec(struct logexp *le, const char *spec) { - char *s; - CHECK_OBJ_NOTNULL(le, LOGEXP_MAGIC); logexp_delete_tests(le); - s = strdup(spec); - AN(s); - parse_string(s, logexp_cmds, le, le->vl); - free(s); + parse_string(spec, logexp_cmds, le, le->vl); } void diff --git a/bin/varnishtest/vtc_sema.c b/bin/varnishtest/vtc_sema.c index 2ebfdee..1cab9d1 100644 --- a/bin/varnishtest/vtc_sema.c +++ b/bin/varnishtest/vtc_sema.c @@ -61,9 +61,10 @@ sema_new(char *name, struct vtclog *vl) ALLOC_OBJ(r, SEMA_MAGIC); AN(r); - r->name = name; + AN(name); if (*name != 'r') vtc_log(vl, 0, "Sema name must start with 'r' (%s)", name); + r->name = name; AZ(pthread_mutex_init(&r->mtx, NULL)); AZ(pthread_cond_init(&r->cond, NULL)); diff --git a/bin/varnishtest/vtc_varnish.c b/bin/varnishtest/vtc_varnish.c index 7f87479..a50166e 100644 --- a/bin/varnishtest/vtc_varnish.c +++ b/bin/varnishtest/vtc_varnish.c @@ -75,7 +75,6 @@ struct varnish { struct VSM_data *vd; /* vsc use */ unsigned vsl_tag_count[256]; - unsigned vsl_sleep; }; #define NONSENSE "%XJEIFLH|)Xspa8P" From fgsch at lodoss.net Thu Apr 30 21:16:01 2015 From: fgsch at lodoss.net (Federico G. Schwindt) Date: Thu, 30 Apr 2015 23:16:01 +0200 Subject: [master] f990990 Fix varnishd -C Message-ID: commit f9909907254d07fa72a842f985cac29d4a28fe95 Author: Federico G. Schwindt Date: Wed Apr 29 20:26:41 2015 +0100 Fix varnishd -C Broken in ac69df7db6ea97dc244df357e14013e720fe9801. diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c index 2544890..c5413ad 100644 --- a/bin/varnishd/mgt/mgt_main.c +++ b/bin/varnishd/mgt/mgt_main.c @@ -674,8 +674,7 @@ main(int argc, char * const *argv) if (b_arg != NULL || f_arg != NULL) { mgt_vcc_default(cli, b_arg, vcl, C_flag); - if (C_flag) { - cli_check(cli); + if (C_flag && cli->result == CLIS_OK) { AZ(VSB_finish(cli->sb)); fprintf(stderr, "%s\n", VSB_data(cli->sb)); exit(0);